Executive Summary

CVE-2026-2404 covers a cluster of weaknesses in Schneider Electric PowerChute Serial Shutdown at version 1.4 and earlier that allow an attacker to overwrite critical files, forge or truncate log data, reset user credentials, and trigger denial-of-service conditions against the software that governs graceful equipment shutdown during power loss. Because PowerChute sits directly in the path between UPS state and controlled shutdown of downstream hosts, corruption of its logic or credentials can force uncontrolled power-down of servers, historians, and HMIs at the exact moment a facility is riding through a power event.

Technical Exposure Breakdown

PowerChute Serial Shutdown monitors a UPS over a serial or USB link and orchestrates an ordered shutdown sequence when battery runtime falls below a configured threshold. The reported CVSS score is 5.3, but that figure understates the operational leverage this component holds. The vulnerability set spans several distinct primitives.

The attack conditions depend on how the management interface is exposed. Many deployments place PowerChute on a general-purpose Windows or Linux host inside the control network rather than on an isolated appliance, which widens the reachable attack surface well beyond the serial link itself.

OT Impact and Compliance Risk

The physical failure mode is the concern. A forced or suppressed shutdown removes the controlled degradation that keeps process controllers, SCADA servers, and historians from corrupting state during power transitions. In water and wastewater facilities, an uncontrolled loss of the supervisory layer during a power event can interrupt chemical dosing control and monitoring. In generation and substation environments, loss of historian and HMI continuity complicates event reconstruction.

For IEC 62443, this maps to failures in system integrity and audit logging requirements under the foundational requirements, specifically the guarantees around use control and timely response to events. Log forgery directly undermines the audit trail that IEC 62443-3-3 expects. For NERC CIP asset owners, tampering with logging on a system associated with BES Cyber Assets touches CIP-007 security event monitoring and CIP-010 baseline integrity. Water utilities operating under AWIA 2018 risk assessment obligations should treat the shutdown coordinator as a resilience-critical component. Pipeline operators under TSA SD-02C should account for it within their required logging and access control measures.

Compensating Controls

Do not rely on the vendor update alone, and do not run an active vulnerability scan against the PowerChute host or its attached UPS. Active scanning can disrupt the serial or USB polling loop and, on some UPS firmware, can trigger the very shutdown behavior you are trying to protect.

BreachSpider Intel

BreachSpider tracks Schneider Electric PowerChute exposure and related ICS advisories across our database of 350,000+ CVEs and 25,000+ ICS CVEs mapped to 175,000+ OT products for continuous monitoring of your affected asset base.