Schneider Electric has released an emergency update for its PowerChute Serial Shutdown software, closing seven security vulnerabilities that expose Windows systems to potential takeover. The flaws, tracked as CVE-2026-2399 through CVE-2026-2405, affect all versions up to and including 1.4. The company and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are urging every user to install version 1.5 immediately.

What exactly is under attack?

The advisory, published in coordination with CISA, confirms that PowerChute Serial Shutdown 1.4 and earlier are susceptible to seven distinct vulnerabilities. While technical details remain sparse—a common practice to prevent exploitation before patches are widely applied—the sheer number of CVEs suggests a broad attack surface. PowerChute Serial Shutdown is a lightweight utility that communicates with APC uninterruptible power supplies (UPS) over serial or USB connections, monitoring battery status and initiating graceful shutdowns when power fails. It runs as a Windows service, often with elevated privileges, making it a juicy target for attackers.

The affected product is separate from the more modern PowerChute Business Edition or Network Shutdown; it is the legacy serial communication tool still used on countless Windows PCs and servers, especially in home labs, small businesses, and industrial environments where USB-connected UPS units are common. The update to version 1.5 addresses all seven CVEs. Schneider Electric has not released a detailed breakdown of each flaw, but the advisory classifies the overall severity as critical, implying that at least some vulnerabilities could allow remote code execution, privilege escalation, or denial of service.

What this means for you

If you have a UPS connected to a Windows computer and you installed the manufacturer’s software to manage it, there’s a strong chance you’re running PowerChute Serial Shutdown. Many APC UPS boxes still ship with this utility on a CD or point users to an older download page. Even if you bought your unit years ago, the software may be so old that it’s never been updated—and that’s the danger.

For home users: Your Windows desktop or laptop might be shielded by a consumer router’s firewall, but remember that PowerChute Serial Shutdown listens for commands locally. Malware already on your system—perhaps delivered via a malicious download or email attachment—could exploit the unpatched vulnerabilities to elevate privileges and gain SYSTEM-level access. In other words, a simple piece of malware could seize complete control of your PC by hopping through the UPS software. Since home users rarely patch auxiliary utilities, these computers are low‑hanging fruit.

For IT administrators and business users: Servers and workstations in corporate environments often rely on UPS management software for orderly shutdowns. Here, the risks multiply. In a domain‑joined environment, a compromised machine running the vulnerable service could be used for lateral movement. An attacker who exploits one of these flaws could pivot to other servers, harvest credentials, or disable power protection entirely—so a power outage hits without warning and takes down critical systems uncleanly. Industrial control settings, healthcare, and retail point‑of‑sale systems are particularly exposed because they may run legacy versions for years without an update cycle.

For developers and integrators: If you’ve embedded PowerChute Serial Shutdown into a larger solution—say, a kiosk or an embedded Windows device—you need to verify the version and update it across your fleet. The silent nature of these updates often means they are forgotten until a vulnerability makes headlines.

How we got here

PowerChute Serial Shutdown traces its lineage back to the early 2000s. APC (now part of Schneider Electric) designed it as a simple companion for its Back‑UPS and Smart‑UPS lines, offering basic monitoring and shutdown capabilities when the battery runs low. Over the decades, it has seen only modest updates. Version 1.4, the last public release before the patch, arrived several years ago and never faced public security scrutiny. Because it “just works,” countless users installed it and never looked back.

That complacency created a vast installed base of outdated software. In April 2026, Schneider Electric’s security team, likely tipped off by an external researcher or internal audit, discovered multiple vulnerabilities in the code. The findings were reported to CISA, which assigned CVE-2026-2399 through CVE-2026-2405 and issued an official advisory. The timeline suggests a coordinated disclosure: the vendor developed a fix (version 1.5), tested it, and then published the advisory alongside CISA to maximize awareness before attackers reverse‑engineer the patches.

This isn’t the first time UPS management software has been targeted. In the past, network‑facing UPS tools from various vendors have been exploited to gain a foothold into networks. What’s different this time is that PowerChute Serial Shutdown is purely serial/USB‑based, meaning the attack vector is local rather than remote. Yet that doesn’t diminish the risk—most attacks today begin with a local foothold, and any software running as a privileged service is a stepping stone.

What to do now

1. Identify your version
Open the PowerChute Serial Shutdown console. The version is displayed on the main screen or under Help → About. If you can’t find it, check the executable file details: right‑click pss.exe (usually in C:\Program Files (x86)\APC\PowerChute Serial Shutdown), choose Properties, and go to the Details tab. Any version number 1.4.0.0 or lower means you are vulnerable.

2. Download and install version 1.5
Go to the official Schneider Electric APC software download portal and search for “PowerChute Serial Shutdown v1.5.” Only download from apc.com or schneider-electric.com. Avoid third‑party sites. The installer will upgrade your existing installation, preserving your shutdown settings. You may need to run it as administrator.

3. Verify the update
After installation, confirm the new version number in the console. Additionally, check that your UPS communication is still working by checking the status indicators. If you have custom scripts or shutdown delays, review them to ensure they carried over.

4. For admins: deploy at scale
Use your software management tool (SCCM, Intune, PDQ Deploy, etc.) to push the update. The installer supports silent switches. A typical command line is:

PSS_Setup_1.5.exe /S /v/qn

Adjust parameters as needed. Check the Schneider Electric knowledge base for the exact silent‑install commands.

5. Mitigation if you can’t patch
Given the low complexity of deploying this update, there is little reason to delay. However, if you absolutely cannot upgrade immediately, restrict local access to the service. Consider stopping and disabling the “APC PBE Agent” and “APC PBE Server” services until the patch can be applied. Note that this will disable UPS monitoring and automatic shutdowns, leaving your system unprotected during a power outage—only a temporary measure.

6. Stay informed
Subscribe to CISA’s alerts and monitor Schneider Electric’s security notifications page. The CVEs are likely to receive further analysis by security researchers. Once the dust settles, expect Metasploit modules and proof‑of‑concept code to appear, raising the urgency even higher.

What to watch next

Schneider Electric has not indicated whether older, unsupported versions (like 1.2 or 1.3) will receive a backported fix—almost certainly not. If you are stuck on an ancient release because of compatibility with a legacy UPS model, you may be out of luck. Test version 1.5 thoroughly on a spare system before rolling it out. Over the coming weeks, independent researchers will likely publish detailed write‑ups of the CVEs, shedding light on how easy these vulnerabilities are to exploit. Expect this story to evolve from a “patch now” advisory into a more comprehensive security incident if widespread exploitation is detected. For now, the best defense is a quick, clean update.