Detections
Analytics

Schneider Electric PowerChute Serial Shutdown < 1.5 Multiple Vulnerabilities (SEVD-2026-104-01)

medium Nessus Plugin ID 306551

Synopsis

Schneider Electric PowerChute Serial Shutdown installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Schneider Electric PowerChute Serial Shutdown installed on the remote host is prior to 1.5. It is, therefore, affected by multiple vulnerabilities, including:

 - An improper limitation of a pathname to a restricted directory vulnerability exists that could cause critical files to be overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload.
 (CVE-2026-2399)

 - An improper encoding or escaping of output vulnerability exists that could cause log injection and forged log entries when an attacker alters the POST /j_security check request payload. (CVE-2026-2404)

 - An improper restriction of excessive authentication attempts vulnerability exists that could allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints. (CVE-2026-2402)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Schneider Electric PowerChute Serial Shutdown version 1.5 or later.

See Also

http://www.nessus.org/u?c261f9a3

Plugin Details

Severity: Medium

ID: 306551

File Name: schneider_electric_powerchute_serial_shutdown_1_5.nasl

Version: 1.1

Type: Local

Agent: windows, macosx, unix

Family: Misc.

Published: 4/15/2026

Updated: 4/15/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.1

Vector: CVSS2#AV:A/AC:L/Au:S/C:N/I:C/A:C

CVSS Score Source: CVE-2026-2399

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: x-cpe:/a:schneider-electric:powerchute_serial_shutdown

Required KB Items: installed_sw/Schneider Electric PowerChute Serial Shutdown

Patch Publication Date: 4/14/2026

Vulnerability Publication Date: 4/14/2026

Reference Information

CVE: CVE-2026-2399, CVE-2026-2400, CVE-2026-2401, CVE-2026-2402, CVE-2026-2403, CVE-2026-2404, CVE-2026-2405