CVE-2025-11565
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-12
Assigner: Schneider Electric SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| schneider_electric | powerchute_serial_shutdown | 1.4 |
| schneider_electric | powerchute_serial_shutdown | 1.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability, identified as CWE-22 (Path Traversal), exists in Schneider Electric's PowerChuteβ’ Serial Shutdown product (version 1.3 and prior). It allows a Web Admin user on the local network to tamper with the POST /REST/UpdateJRE request payload, which can lead to elevated system access privileges. Essentially, it means that an attacker with low-level access on the local network can manipulate file paths to gain higher system privileges than intended. [1]
How can this vulnerability impact me? :
The vulnerability can lead to elevation of privileges, allowing an attacker with low-level access on the local network to gain higher system access. This impacts the confidentiality, integrity, and availability of the affected system. An attacker could potentially manipulate system files or configurations, leading to unauthorized control or disruption of services. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring for tampering attempts with the POST /REST/UpdateJRE request payload by a Web Admin user on the local network. Network traffic analysis tools or web server logs can be used to identify suspicious POST requests to /REST/UpdateJRE. Specific commands depend on your environment, but examples include using curl or wget to test the endpoint, or using packet capture tools like tcpdump or Wireshark to monitor POST requests. For example, a tcpdump command to capture POST requests to the vulnerable endpoint could be: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /REST/UpdateJRE'. Additionally, checking web server access logs for POST requests to /REST/UpdateJRE with unusual payloads can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading to PowerChuteβ’ Serial Shutdown version 1.4, which contains fixes for CVE-2025-11565. Additionally, ensure that only trusted Web Admin users on the local network have access to the system. Follow standard patching best practices such as backing up systems and testing patches in isolated environments before deployment. Implement network segmentation to isolate control and safety system networks behind firewalls, separate from business networks. Restrict programming software and administrative access to intended networks only. Also, apply physical security controls to prevent unauthorized access. For CVE-2025-11567 related to permissions, verify and set proper administrative permissions on the installation folder, especially if a custom folder is used. [1]