Powerchute Serial Shutdown
Monthly
Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior expose confidential information through log file insertion when a Web Admin user executes a malicious file supplied by an attacker. The vulnerability (CWE-532) results in low confidentiality impact with local access required and user interaction; no public exploit code or active exploitation has been identified, and the overall CVSS score of 2.4 reflects limited real-world risk despite information disclosure classification.
CRLF injection in Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to reset application user credentials by manipulating the POST /setPCBEDesc request payload, achieving limited availability impact with CVSS 5.3 and confirmed actively exploited status (CISA KEV).
Improper validation of input quantity in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to truncate event and data logs via crafted POST /logsettings requests, compromising log integrity and audit trail reliability. The vulnerability requires valid admin credentials and network access but poses direct impact to forensic and compliance capabilities. No public exploit code or active exploitation has been confirmed at time of analysis.
Denial of service in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to trigger uncontrolled resource consumption by flooding the system with POST requests to the /helpabout endpoint, causing excessive troubleshooting zip file creation and service degradation. Attack requires valid admin credentials and network access to the web interface; CVSS 5.3 reflects low availability impact with no confidentiality or integrity compromise.
Schneider Electric PowerChute Serial Shutdown v1.4 and prior allows remote credential brute force attacks due to missing rate limiting on authentication endpoints, enabling attackers to enumerate valid credentials across multiple API endpoints with no authentication prerequisite. The vulnerability has a CVSS score of 6.9 with network-based attack vector and no user interaction required, though the impact is limited to information disclosure rather than full account takeover.
Log injection via improper output encoding in Schneider Electric PowerChute™ Serial Shutdown allows unauthenticated remote attackers to forge or inject malicious log entries by sending crafted POST requests to the /j_security_check endpoint, potentially obscuring attack trails or triggering false alerts.
PowerChute Serial Shutdown allows authenticated administrative users to overwrite critical system files via path traversal in the POST /REST/upssleep endpoint when maliciously crafting request payloads, potentially causing complete system compromise or denial of service. The vulnerability requires high-privilege Web Admin credentials and adjacent network access, but results in total integrity and availability impact across the affected system. No public exploit code has been identified at the time of analysis.
Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior expose confidential information through log file insertion when a Web Admin user executes a malicious file supplied by an attacker. The vulnerability (CWE-532) results in low confidentiality impact with local access required and user interaction; no public exploit code or active exploitation has been identified, and the overall CVSS score of 2.4 reflects limited real-world risk despite information disclosure classification.
CRLF injection in Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to reset application user credentials by manipulating the POST /setPCBEDesc request payload, achieving limited availability impact with CVSS 5.3 and confirmed actively exploited status (CISA KEV).
Improper validation of input quantity in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to truncate event and data logs via crafted POST /logsettings requests, compromising log integrity and audit trail reliability. The vulnerability requires valid admin credentials and network access but poses direct impact to forensic and compliance capabilities. No public exploit code or active exploitation has been confirmed at time of analysis.
Denial of service in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to trigger uncontrolled resource consumption by flooding the system with POST requests to the /helpabout endpoint, causing excessive troubleshooting zip file creation and service degradation. Attack requires valid admin credentials and network access to the web interface; CVSS 5.3 reflects low availability impact with no confidentiality or integrity compromise.
Schneider Electric PowerChute Serial Shutdown v1.4 and prior allows remote credential brute force attacks due to missing rate limiting on authentication endpoints, enabling attackers to enumerate valid credentials across multiple API endpoints with no authentication prerequisite. The vulnerability has a CVSS score of 6.9 with network-based attack vector and no user interaction required, though the impact is limited to information disclosure rather than full account takeover.
Log injection via improper output encoding in Schneider Electric PowerChute™ Serial Shutdown allows unauthenticated remote attackers to forge or inject malicious log entries by sending crafted POST requests to the /j_security_check endpoint, potentially obscuring attack trails or triggering false alerts.
PowerChute Serial Shutdown allows authenticated administrative users to overwrite critical system files via path traversal in the POST /REST/upssleep endpoint when maliciously crafting request payloads, potentially causing complete system compromise or denial of service. The vulnerability requires high-privilege Web Admin credentials and adjacent network access, but results in total integrity and availability impact across the affected system. No public exploit code has been identified at the time of analysis.