Schneider Electric PowerChute Serial Shutdown Improper Restriction of Excessive Authentication Attempts Vulnerability
Vulnerability
A vulnerability allowing improper restriction of excessive authentication attempts has been identified in Schneider Electric's PowerChute Serial Shutdown software, versions through 1.3. This vulnerability could enable an attacker on the local network to access user accounts by making an unlimited number of authentication attempts with different credentials on the /REST/shutdownnow endpoint.
Impact
Exploitation of this vulnerability could lead to unauthorized access to user accounts.
Remediation
Users can upgrade to version 1.4 of PowerChute Serial Shutdown, which includes a fix for this vulnerability. This version is available for download from the Schneider Electric website. For those who have installed PowerChute in a custom folder, it is important to set the required permissions on that folder, preferably administrative permissions. Specific instructions for these mitigations can be found in the Schneider Electric Security Handbook.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.