Description
CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker.
Published: 2026-04-14
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Assess Impact
AI Analysis

Impact

A vulnerability allows the insertion of sensitive data into log files when a Web Admin user runs a malicious file. The impact is the potential disclosure of confidential information, compromising data confidentiality while using the device.

Affected Systems

The affected product is Schneider Electric’s PowerChute® Serial Shutdown. No specific version information is supplied in the advisory.

Risk and Exploitability

The CVSS score of 2.4 indicates a low overall severity. The statement does not provide an EPSS score, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. The likely attack vector requires a Web Admin or privileged user to execute a malicious file, which is a local or high privilege attack. Because the vulnerability involves sensitive data being logged, the exploitation risk is modest but remains of concern if an attacker can gain admin access.

Generated by OpenCVE AI on April 14, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether a patch or update has been released by Schneider Electric for the PowerChute Serial Shutdown product and apply it immediately.
  • Restrict administrative access to the device and enforce least‑privilege policies to limit the ability to run arbitrary files.
  • Review and adjust the logging configuration to exclude or mask sensitive data that may be written to log files.
  • Monitor logs for unusual entries that could indicate the execution of malicious code, and consult the vendor’s security notice (SEVD-2026-104-01) for further recommendations.

Generated by OpenCVE AI on April 14, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Sensitive Information Exposure via Log Injection in PowerChute Serial Shutdown

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric powerchute Serial Shutdown
Vendors & Products Schneider-electric
Schneider-electric powerchute Serial Shutdown

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker.
Weaknesses CWE-532
References
Metrics cvssV4_0

{'score': 2.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Schneider-electric Powerchute Serial Shutdown
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-04-14T16:27:16.331Z

Reserved: 2026-02-12T13:18:59.627Z

Link: CVE-2026-2401

cve-icon Vulnrichment

Updated: 2026-04-14T16:23:21.395Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:38.623

Modified: 2026-04-14T16:16:38.623

Link: CVE-2026-2401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:16Z

Weaknesses