Path Traversal in Schneider Electric Powerchute™ Serial Shutdown

CVE-2026-2399

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload.

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (9.0th percentile) — read the EPSS interpretation.

Affected products

Schneider Electric Powerchute™ Serial Shutdown — versions Versions 1.4 and prior

Weakness classification (CWE)

CWE-22 — Path Traversal

References

download.schneider-electric.com/files