Description
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.
Published: 2026-04-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Reset
Action: Apply Patch
AI Analysis

Impact

The flaw is an Improper Neutralization of CRLF Sequences that allows a Web‑Admin user to inject line‑break characters into the /setPCBEDesc request payload. In effect the injection can reset the application’s user credentials, which removes the administrator’s authenticated session. This weakness is a classic example of the CWE‑93 class and exposes users to a denial of authorized access rather than arbitrary code execution.

Affected Systems

Schneider Electric’s PowerChute Serial Shutdown is impacted. No specific version information was disclosed in the advisory, so all deployments of this product should be treated as potentially vulnerable until an official update is released.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been widely exploited. The likely attack vector is via the web‑based administrative interface; an attacker would need to persuade, or compromise, a user with administrative privileges to submit a crafted POST request. Because the vulnerability requires an authenticated user to trigger the payload, it is less of a public foothold but remains a serious risk for unattended admin accounts.

Generated by OpenCVE AI on April 14, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Schneider Electric firmware or software bundle that eliminates the CRLF injection issue.
  • If a patch is not yet available, severely restrict network access to the Web‑Admin interface, limiting access to a narrow set of trusted IP addresses and enforcing strong authentication.
  • Disable or bypass the /setPCBEDesc endpoint if it is not required for your environment, or configure the application to strip CRLF characters from input.
  • Continuously monitor application logs for abnormal POST requests to /setPCBEDesc and investigate promptly.
  • Contact Schneider Electric for the most recent advisories and guidance on applying fixes.

Generated by OpenCVE AI on April 14, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title CRLF Injection Enables Credential Reset in PowerChute Serial Shutdown

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric powerchute Serial Shutdown
Vendors & Products Schneider-electric
Schneider-electric powerchute Serial Shutdown

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.
Weaknesses CWE-93
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Schneider-electric Powerchute Serial Shutdown
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-04-14T16:27:22.220Z

Reserved: 2026-02-12T13:17:07.149Z

Link: CVE-2026-2400

cve-icon Vulnrichment

Updated: 2026-04-14T16:23:39.299Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:38.477

Modified: 2026-04-14T16:16:38.477

Link: CVE-2026-2400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:17Z

Weaknesses