Back to Intelligence

ICSA-26-190-02: Detecting and Mitigating Schneider Electric PowerChute Vulnerabilities

SA
Security Arsenal Team
July 9, 2026
7 min read

CISA recently released advisory ICSA-26-190-02 detailing multiple security vulnerabilities in Schneider Electric's PowerChute Serial Shutdown software. While often overlooked as peripheral utilities, power management software represents a critical attack vector within Operational Technology (OT) and data center environments. Successful exploitation of these flaws could allow attackers to overwrite critical files, inject malicious log data, reset user credentials, or trigger denial-of-service conditions. Given the affected software's deep integration with power infrastructure, the integrity of these systems is paramount. Defenders must immediately identify instances of PowerChute Serial Shutdown version 1.4 and below and apply remediation steps to prevent potential system manipulation or data loss.

Technical Analysis

Affected Products:

  • Product: Schneider Electric PowerChute Serial Shutdown
  • Affected Versions: <= 1.4
  • Platform/OS: SuSE, Red Hat, Microsoft Windows

Vulnerability Details: The advisory identifies a combination of web-based and logic vulnerabilities:

  • Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): Attackers can exploit directory traversal sequences (e.g., ../) to write files outside of the intended web root or log directory. This can lead to system file overwrite or potential code execution if web-accessible scripts are manipulated.
  • Improper Encoding or Escaping of Output (CRLF Injection): The application fails to properly sanitize output, allowing attackers to inject Carriage Return and Line Feed (CRLF) characters. This facilitates log forging (injecting fake entries into system logs) or potentially splitting HTTP responses (Response Splitting).
  • Improper Restriction of Excessive Authentication Attempts: The application lacks robust rate limiting or lockout mechanisms. This allows for brute-force attacks against user accounts, leading to unauthorized access or credential resets.
  • Uncontrolled Resource Consumption: A specific input can trigger a resource exhaustion condition, resulting in a Denial of Service (DoS) for the monitoring service.

CVSS Score: 6.1 (Medium)

Exploitation Status: While the advisory does not explicitly confirm active exploitation in the wild at this time, the simplicity of the vectors (Path Traversal and Log Injection) makes them high-risk for automated scanning and opportunistic attacks. In ICS environments, even a DoS condition can have significant physical impacts.

Detection & Response

To detect potential exploitation attempts against PowerChute Serial Shutdown, security teams should hunt for indicators of Path Traversal, CRLF Injection, and excessive authentication failures targeting the management interface.

SIGMA Rules

YAML
---
title: Potential Path Traversal Attempt Against Web Management Interface
id: 8a2c1d5e-4f3a-4b7a-9c1d-2e3f4a5b6c7d
status: experimental
description: Detects potential path traversal activity in web logs targeting management interfaces like PowerChute. Attackers use sequences like '../' to escape the web root.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-02
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: web_access
  product: proxy
detection:
  selection:
    cs-uri-query|contains:
      - '../'
      - '%2e%2e%2f'
      - '..\'
      - '%2e%2e%5c'
  condition: selection
falsepositives:
  - Misconfigured legacy web applications
  - Unusual but authorized API testing
level: medium
---
title: Potential CRLF Injection (Log Forgery) in Web Requests
id: 9b3d2e6f-5g4b-5c8b-0d2e-3f4g5a6b7c8e
status: experimental
description: Detects CRLF injection attempts often used to forge logs or split HTTP responses. Looks for URL encoded carriage return/line feeds.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-02
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.defense_evasion
  - attack.t1564.008
logsource:
  category: web_access
  product: proxy
detection:
  selection:
    cs-uri-query|contains:
      - '%0d%0a'
      - '%0D%0A'
  condition: selection
falsepositives:
  - Legitimate data transmission containing encoded line breaks (rare in query strings)
level: high
---
title: Brute Force Authentication Attempt against OT Management Portal
id: 0c4e3f7g-6h5c-6d9c-1e3f-4g5h6a7b8c9d
status: experimental
description: Detects multiple failed login attempts originating from a single source IP against a specific management interface, indicating a potential brute force attack.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-02
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1110.003
logsource:
  category: authentication
  product: ot
detection:
  selection:
    EventID: 4625 # Failed Login
  filter:
    TargetUserName|contains: 'admin'
  timeframe: 5m
  condition: selection | count() by SourceIpAddress > 10
falsepositives:
  - Misconfigured service accounts
  - Legacy devices failing authentication loops
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Path Traversal patterns in Syslog/CEF or CommonSecurityLog
// Adjust 'cs-uri-query' based on your specific schema normalization
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where RequestMethod in ("POST", "GET")
| where cs-uri-query has "../" 
   or cs-uri-query has "%2e%2e" 
   or cs-uri-query has "..\"
| project TimeGenerated, DeviceIP, SourceIP, DestinationIP, RequestMethod, cs-uri-query, DeviceAction
| summarize count() by SourceIP, DeviceIP, bin(TimeGenerated, 1h)
| order by count_ desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for installation of PowerChute Serial Shutdown on Linux/Windows endpoints
-- and check for suspicious process execution patterns (e.g., web server spawning shell)

SELECT OSPath, Mtime, Atime, Size
FROM glob(globs="/*PowerChute*", root="/")
WHERE OSPath

-- Alternative: Check for process names often associated with this software
-- Note: Replace process names if specific binary names are confirmed during IR
SELECT Pid, Name, CommandLine, Exe
FROM pslist()
WHERE Name =~ "powerchute" 
   OR Name =~ "pcss" 
   OR Exe =~ "PowerChute"

Remediation Script

Bash / Shell
#!/bin/bash
# PowerChute Serial Shutdown Vulnerability Remediation Check (Linux)
# Checks for running processes and advises on version upgrade.

PROCESS_NAMES=("pcss" "PowerChute" "jre") # Add specific binary names if known
VULN_VERSION="1.4"

echo "[+] Scanning for Schneider Electric PowerChute Serial Shutdown processes..."
FOUND=0

for PROC in "${PROCESS_NAMES[@]}"; do
  if pgrep -x "$PROC" > /dev/null; then
    echo "[!] Potential PowerChute process found: $PROC"
    pgrep -a "$PROC"
    FOUND=1
  fi
done

if [ "$FOUND" -eq 1 ]; then
  echo "[!] Action Required: Verify the software version."
  echo "[!] If PowerChute Serial Shutdown is installed, ensure it is upgraded to a version newer than $VULN_VERSION."
  echo "[!] Refer to Schneider Electric advisory for download links."
else
  echo "[-] No default PowerChute processes detected."
fi
PowerShell
# PowerChute Serial Shutdown Vulnerability Remediation Check (Windows)
# Checks registry for installed PowerChute Serial Shutdown versions.

$RegPaths = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*",
    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
)

$TargetProduct = "*PowerChute*Serial*"
$VulnerableVersions = "1.4", "1.3", "1.2", "1.1", "1.0"

Write-Host "[+] Scanning for Schneider Electric PowerChute Serial Shutdown..." -ForegroundColor Cyan

$InstalledApps = Get-ItemProperty $RegPaths -ErrorAction SilentlyContinue | 
    Where-Object { $_.DisplayName -like $TargetProduct }

if ($InstalledApps) {
    foreach ($App in $InstalledApps) {
        Write-Host "[!] Found Installation:" -ForegroundColor Yellow
        Write-Host "    Name: $($App.DisplayName)"
        Write-Host "    Version: $($App.DisplayVersion)"
        
        # Note: Perform strict version comparison if specific version strings are confirmed
        if ($VulnerableVersions -contains $App.DisplayVersion) {
            Write-Host "[!] STATUS: VULNERABLE. Version is 1.4 or lower." -ForegroundColor Red
            Write-Host "[!] ACTION: Update to the latest version immediately via Schneider Electric Support."
        } else {
            Write-Host "[-] STATUS: Version appears higher than 1.4, but please verify against the vendor advisory." -ForegroundColor Green
        }
    }
} else {
    Write-Host "[-] No PowerChute Serial Shutdown installations found in Registry." -ForegroundColor Green
}

Remediation

  1. Patch Immediately: Update Schneider Electric PowerChute Serial Shutdown to the latest version. Versions 1.4 and below are affected. Consult the official Schneider Electric security advisory or download portal to obtain the patched release.
  2. Verify Integrity: After patching, verify the software version via the management interface or the registry/file system to ensure the update was successful.
  3. Network Segmentation: Ensure that PowerChute management interfaces (web consoles) are not accessible directly from the internet. Restrict access to specific management subnets using firewall rules and VPNs.
  4. Review Logs: Audit logs for the Path Traversal and CRLF injection indicators provided above in the weeks prior to patching to determine if exploitation was attempted.
  5. Vendor Advisory: Refer to CISA Advisory ICSA-26-190-02 for the most technical details and vendor-specific mitigation instructions.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureschneider-electricpowerchuteicsa-26-190-02path-traversalot-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.