Description
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload.
Published: 2026-04-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Critical File Overwrite
Action: Apply Patch
AI Analysis

Impact

A path traversal flaw in the /REST/upssleep API of Schneider Electric’s PowerChute Serial Shutdown allows an authenticated Web Administrator to construct a POST request that points to arbitrary file paths. The resulting write action can overwrite essential configuration files with attacker supplied data, potentially disrupting power management operations and compromising device reliability.

Affected Systems

The vulnerability affects Schneider Electric PowerChute Serial Shutdown devices. No firmware version ranges are provided, so all current releases must be considered until an official fix is deployed.

Risk and Exploitability

The base severity score is 6.9, indicating moderate risk. No EPSS data is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires valid Web Administrator credentials, limiting the attack surface to systems with exposed web interfaces that grant such privileges. Once accessed, the attacker can overwrite critical files, leading to configuration loss or system downtime.

Generated by OpenCVE AI on April 14, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Schneider Electric PowerChute Serial Shutdown security patch or firmware update as released.
  • If a patch is not yet available, restrict Web Administrator access to trusted personnel and enforce strong authentication.
  • Monitor HTTP traffic for abnormal POST requests to the /REST/upssleep endpoint.
  • Verify the integrity of critical configuration files after remediation.

Generated by OpenCVE AI on April 14, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Path Traversal Allows Critical File Overwrite in PowerChute Serial Shutdown

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric powerchute Serial Shutdown
Vendors & Products Schneider-electric
Schneider-electric powerchute Serial Shutdown

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload.
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Schneider-electric Powerchute Serial Shutdown
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-04-14T15:52:07.599Z

Reserved: 2026-02-12T13:16:54.228Z

Link: CVE-2026-2399

cve-icon Vulnrichment

Updated: 2026-04-14T15:52:01.686Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:38.290

Modified: 2026-04-14T16:16:38.290

Link: CVE-2026-2399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses