Skip to main content

Powerchute Serial Shutdown EUVDEUVD-2026-22282

| CVE-2026-2399 MEDIUM
Path Traversal (CWE-22)
2026-04-14 schneider GHSA-4v7v-7v7r-3r5h
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 17:04 vuln.today
CVSS changed
Apr 14, 2026 - 16:22 NVD
6.9 (MEDIUM)
EUVD ID Assigned
Apr 14, 2026 - 16:00 euvd
EUVD-2026-22282
Analysis Generated
Apr 14, 2026 - 16:00 vuln.today
CVE Published
Apr 14, 2026 - 15:09 nvd
MEDIUM 6.9

DescriptionCVE.org

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload.

AnalysisAI

PowerChute Serial Shutdown allows authenticated administrative users to overwrite critical system files via path traversal in the POST /REST/upssleep endpoint when maliciously crafting request payloads, potentially causing complete system compromise or denial of service. The vulnerability requires high-privilege Web Admin credentials and adjacent network access, but results in total integrity and availability impact across the affected system. No public exploit code has been identified at the time of analysis.

Technical ContextAI

The vulnerability is a classic CWE-22 path traversal flaw in a REST API endpoint that processes user-supplied file path parameters without proper validation or sanitization. PowerChute Serial Shutdown, a Schneider Electric UPS management application, fails to restrict directory access when parsing the POST /REST/upssleep request payload, allowing an authenticated administrator to traverse the filesystem using relative path sequences (such as '../') to write data outside intended directories. This flaw exists in the web administration interface and affects the application's ability to enforce pathname restrictions, a critical control in multi-user or high-security deployments where administrative credentials may be compromised or misused.

RemediationAI

Schneider Electric has released a security notice (SEVD-2026-104-01) available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf; users must download this document to identify the patched version and upgrade timeline. In the interim, restrict network access to the PowerChute Serial Shutdown web administration interface using firewall rules to allow only trusted administrative hosts, limit Web Admin user accounts to only those who require them, and monitor for unusual POST /REST/upssleep requests with path traversal sequences (../ or ..\) in request logs.

Share

EUVD-2026-22282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy