Description
CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints.
Published: 2026-04-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Account Access
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows an attacker to perform an arbitrary number of authentication attempts with different credentials across multiple endpoints, effectively bypassing standard rate limiting. This Improper Restriction of Excessive Authentication Attempts could lead to unauthorized access to user accounts, compromising confidentiality and permitting further system exploitation.

Affected Systems

Schneider Electric PowerChute Serial Shutdown is affected. No specific version information is provided, so any deployment of this product is potentially vulnerable until a vendor update is applied.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting current exploitation may be limited. The likely attack vector is through repeated credential submissions to the product’s authentication endpoints, and exploitation requires no special privileges or complex conditions beyond repeated access.

Generated by OpenCVE AI on April 14, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update from Schneider Electric for PowerChute Serial Shutdown.
  • If no update is available, enable account lockout after a set number of failed attempts.
  • Implement multi‑factor authentication for all user accounts.
  • Restrict access to the management interface to trusted network ranges.
  • Regularly review authentication logs for suspicious activity.

Generated by OpenCVE AI on April 14, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Repeated Authentication Attempts Allow Unauthorized Account Access

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric powerchute Serial Shutdown
Vendors & Products Schneider-electric
Schneider-electric powerchute Serial Shutdown

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints.
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Schneider-electric Powerchute Serial Shutdown
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-04-14T16:27:38.566Z

Reserved: 2026-02-12T13:19:01.113Z

Link: CVE-2026-2402

cve-icon Vulnrichment

Updated: 2026-04-14T16:26:12.735Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:38.767

Modified: 2026-04-14T16:16:38.767

Link: CVE-2026-2402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:21Z

Weaknesses