Description
CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests.
Published: 2026-04-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via uncontrolled zip file creation
Action: Apply Patch
AI Analysis

Impact

A flaw in Schneider Electric PowerChute Serial Shutdown allows a Web Administrator to flood the system with POST /helpabout requests, causing uncontrolled resource consumption and excessive troubleshooting zip file creation that can exhaust storage and degrade service. The resulting denial of service impacts availability by rendering the web interface unresponsive or exhausting server resources. The problem reflects the weakness of uncontrolled resource consumption, categorized as CWE-400.

Affected Systems

The vulnerability affects Schneider Electric PowerChute Serial Shutdown. No specific product version information is provided in the advisory. Users should verify the firmware or software version of their PowerChute installation to determine applicability.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk. Exploitation requires access to the web admin interface; an attacker would need to authenticate as a Web Administrator or otherwise gain the ability to issue repeated POST /helpabout requests. Because no EPSS score is available and the vulnerability is not listed in the KEV catalog, the likelihood of exploitation is uncertain but the potential impact warrants immediate attention. The attack can be mitigated by applying the available vendor patch, restricting access to the web interface, or implementing traffic rate limiting.

Generated by OpenCVE AI on April 14, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available Schneider Electric patch or update for PowerChute Serial Shutdown
  • If a patch is not yet released, restrict access to the Web Admin interface to trusted administrators only
  • Implement firewall or rate‑limiting rules to block repeated POST /helpabout requests

Generated by OpenCVE AI on April 14, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Uncontrolled Resource Consumption on PowerChute Web Admin

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric powerchute Serial Shutdown
Vendors & Products Schneider-electric
Schneider-electric powerchute Serial Shutdown

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests.
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Schneider-electric Powerchute Serial Shutdown
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-04-14T16:27:33.148Z

Reserved: 2026-02-12T13:19:05.750Z

Link: CVE-2026-2405

cve-icon Vulnrichment

Updated: 2026-04-14T16:25:53.946Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:39.197

Modified: 2026-04-14T16:16:39.197

Link: CVE-2026-2405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:19Z

Weaknesses