CVE-2025-11566 identifies a vulnerability in Schneider Electric's PowerChute Serial Shutdown software, specifically versions 1.3 and earlier. The vulnerability is categorized under CWE-307, which pertains to improper restriction of excessive authentication attempts. The affected endpoint, /REST/shutdownnow, does not implement adequate controls to limit the number of authentication attempts an attacker can make. Consequently, an attacker positioned on the local network can perform an unlimited number of login attempts using different credentials without triggering account lockout or other throttling mechanisms. This lack of restriction enables brute force attacks to gain unauthorized access to user accounts. The vulnerability does not require prior authentication, user interaction, or physical access beyond local network presence, increasing its exploitability. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and low to limited impacts on confidentiality, integrity, and availability. Although no public exploits are known, the vulnerability could allow attackers to disrupt power management operations or gain control over shutdown procedures, potentially affecting critical infrastructure. The vulnerability was reserved in October 2025 and published in November 2025, with no patches currently listed, emphasizing the need for proactive mitigation.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Schneider Electric's PowerChute Serial Shutdown to manage uninterruptible power supplies (UPS) and critical power infrastructure. Unauthorized access through brute force could lead to malicious or accidental shutdowns of critical systems, causing operational disruptions, data loss, or safety hazards. Sectors such as energy, manufacturing, healthcare, and data centers are particularly vulnerable due to their dependence on continuous power management. The ability to perform unlimited authentication attempts without lockout increases the likelihood of successful credential compromise. This could also facilitate lateral movement within networks, escalating the impact beyond the initial device. Given the critical nature of power management systems, exploitation could have cascading effects on availability and integrity of services. The medium CVSS score reflects moderate impact but the operational importance of the affected systems could amplify real-world consequences. European organizations must consider the risk to both IT and OT environments where PowerChute is deployed.

1. Immediately implement network segmentation to isolate PowerChute Serial Shutdown devices from general user networks, limiting local network access to trusted administrators only. 2. Monitor authentication logs for unusual or repeated failed login attempts on the /REST/shutdownnow endpoint to detect brute force activity early. 3. Enforce strong credential policies and consider multi-factor authentication (MFA) where possible to reduce the risk of credential compromise. 4. Apply any available patches or updates from Schneider Electric as soon as they are released; maintain close communication with the vendor for updates. 5. If patches are not yet available, consider deploying compensating controls such as web application firewalls (WAFs) or intrusion prevention systems (IPS) to detect and block excessive authentication attempts. 6. Conduct regular security assessments and penetration tests focusing on local network access controls and authentication mechanisms for critical infrastructure devices. 7. Educate network administrators and security teams about this vulnerability and ensure incident response plans include scenarios involving power management system compromise.