CISA issues alert on Schneider Electric PowerChute Serial Shutdown vulnerabilities

Schneider Electric's PowerChute Serial Shutdown software versions 1.3 and earlier contain vulnerabilities that could allow unauthorized system access through path traversal, improper authentication restrictions, and flawed default permissions. These issues may affect system security when exploited by network users.

The identified vulnerabilities carry Common Vulnerabilities and Exposures (CVE) identifiers CVE-2025-11565, CVE-2025-11566, and CVE-2025-11567. CVE-2025-11565 involves a path traversal flaw triggered by a Web Admin user's manipulation of the POST/REST/UpdateJRE request payload on the local network, affecting PowerChute Serial Shutdown up to version 1.3. CVE-2025-11566 concerns inadequate limits on authentication attempts, allowing repeated credential trials on the /REST/shutdownnow endpoint remotely, impacting the same product versions. CVE-2025-11567 relates to incorrect default permissions on the installation folder, providing elevated system access when not properly secured in the installed software. The respective Common Vulnerability Scoring System (CVSS) v3.1 base scores for these vulnerabilities are 7.0, 7.3, and 7.8.

Exploitation of these vulnerabilities can result in attackers gaining elevated system privileges or unauthorized access to user accounts within affected networks.

Mitigations include upgrading PowerChute Serial Shutdown to version 1.4, which addresses all three vulnerabilities. For CVE-2025-11567 specifically, if the software is installed in a non-default folder, administrators should adjust folder permissions to administrative levels as detailed in Schneider Electric's Security Handbook. Fixed versions are available for Microsoft Windows, Red Hat Enterprise Linux, and SuSE Linux platforms.

The advisory recommends minimizing exposure of control system devices to public networks, isolating such systems behind firewalls, and using secure remote access methods like VPNs while acknowledging their limitations. Organizations should conduct thorough impact analysis before implementing defensive actions. Additional best practices are accessible through CISA's industrial control systems resources, including defense-in-depth strategies and targeted intrusion mitigation. Suspected malicious activities should be handled per internal protocols and reported for incident tracking.

Users are further advised to guard against social engineering by avoiding unsolicited email links or attachments and referring to official guidance on recognizing and preventing email scams and phishing attacks. At present, there is no reported public exploitation of these specific vulnerabilities.