Schneider Electric PowerChute Serial Shutdown

View CSAF

1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Schneider Electric Equipment: PowerChute Serial Shutdown Vulnerabilities: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Restriction of Excessive Authentication Attempts, Incorrect Default Permissions
2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access user accounts or gain elevated system access.
3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of Schneider Electric PowerChute Serial Shutdown are affected: Schneider Electric PowerChute Serial Shutdown: Versions 1.3 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 A path traversal vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST/REST/UpdateJRE request payload. CVE-2025-11565 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). 3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307 An improper restriction of excessive authentication attempts vulnerability exists that could allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint. CVE-2025-11566 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). 3.2.3 INCORRECT DEFAULT PERMISSIONS CWE-276 An incorrect default permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured. CVE-2025-11567 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: France 3.4 RESEARCHER Aleksandar Djurdjevic reported these vulnerabilities to Schneider Electric. Schneider Electric reported these vulnerabilities to CISA.
4. MITIGATIONS Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: PowerChute Serial Shutdown Versions v1.3 and prior: Version v1.4 of PowerChute Serial Shutdown includes a fix for these vulnerabilities and is available for download here:

Windows: https://www.se.com/ww/en/download/document/SPD-PCSS_WIN_EN/ Linux: https://www.se.com/ww/en/download/document/SPD-PCSS_LNX_EN/ (CVE-2025-11567) PowerChute Serial Shutdown Versions v1.3 and prior: To ensure remediation of CVE-2025-11567, users should immediately apply the following steps. If PowerChute is installed in a custom folder, ensure that the required permissions are set on the custom folder. NOTE: It is recommended to set administrative permissions on the custom folder. Specific instructions for these mitigations can be found in the Security Handbook. The following product versions have been fixed: PowerChute Serial Shutdown Version v1.4 installed on Microsoft Windows is a fixed version for CVE-2025-11565 PowerChute Serial Shutdown Version v1.4 installed on Red Hat Enterprise Linux is a fixed version for CVE-2025-11565 PowerChute Serial Shutdown Version v1.4 installed on SuSE Linux is a fixed version for CVE-2025-11565 PowerChute Serial Shutdown Version v1.4 installed on Microsoft Windows is a fixed version for CVE-2025-11566 PowerChute Serial Shutdown Version v1.4 installed on Red Hat Enterprise Linux is a fixed version for CVE-2025-11566 PowerChute Serial Shutdown Version v1.4 installed on SuSE Linux is a fixed version for CVE-2025-11566 PowerChute Serial Shutdown Version v1.4 installed on Microsoft Windows is a fixed version for CVE-2025-11567 PowerChute Serial Shutdown Version v1.4 installed on Red Hat Enterprise Linux is a fixed version for CVE-2025-11567 PowerChute Serial Shutdown Version v1.4 installed on SuSE Linux is a fixed version for CVE-2025-11567 For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-315-01 PowerChute Serial Shutdown - SEVD-2025-315-01 PDF Version, PowerChute Serial Shutdown - SEVD-2025-315-01 CSAF Version. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY November 18, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-315-01