CVE-2026-2405 Overview
CVE-2026-2405 is an Uncontrolled Resource Consumption vulnerability (CWE-400) affecting Schneider Electric products. This vulnerability enables authenticated Web Admin users to cause denial of service conditions by flooding the system with POST /helpabout requests, resulting in excessive troubleshooting zip file creation that exhausts system resources.
Critical Impact
Authenticated attackers with Web Admin access can exhaust system resources through repeated troubleshooting file generation, causing denial of service and potential system unavailability.
Affected Products
- Schneider Electric products with Web Admin interface (refer to Schneider Electric Security Notice for specific affected versions)
Discovery Timeline
- 2026-04-14 - CVE-2026-2405 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-2405
Vulnerability Analysis
This vulnerability stems from a resource consumption flaw in the Schneider Electric Web Admin interface. The /helpabout endpoint, which is designed to generate troubleshooting zip files for diagnostic purposes, lacks proper rate limiting and resource management controls. When an authenticated Web Admin user repeatedly sends POST requests to this endpoint, the system continuously generates diagnostic archives without imposing restrictions on frequency or quantity.
The troubleshooting zip file generation process is resource-intensive, as it typically involves collecting system logs, configuration data, and diagnostic information. Without proper controls, an attacker can trigger multiple concurrent or sequential file generation operations that consume disk space, CPU cycles, and memory resources. This leads to resource exhaustion and denial of service conditions affecting the availability of the affected system.
Root Cause
The root cause is the absence of rate limiting, request throttling, or resource consumption controls on the /helpabout endpoint. The application fails to implement safeguards that would prevent excessive troubleshooting file creation requests from a single session or user within a given time period. Additionally, there appears to be no cleanup mechanism or quota enforcement for generated diagnostic files.
Attack Vector
The attack is network-based and requires authenticated access to the Web Admin interface. An attacker with valid Web Admin credentials can exploit this vulnerability by sending a large volume of POST requests to the /helpabout endpoint. The attack workflow involves:
- Authenticating to the Web Admin interface with valid credentials
- Sending repeated POST requests to the /helpabout endpoint
- Each request triggers the generation of a troubleshooting zip file
- System resources become exhausted as files accumulate and generation processes consume CPU and memory
- The system becomes unresponsive or unavailable to legitimate users
The vulnerability requires low-privilege authentication but can significantly impact system availability through resource exhaustion.
Detection Methods for CVE-2026-2405
Indicators of Compromise
- Abnormally high volume of POST requests to the /helpabout endpoint from a single user session
- Unusual disk space consumption due to accumulated troubleshooting zip files
- Elevated CPU and memory utilization during diagnostic file generation
- Multiple concurrent troubleshooting file generation processes
Detection Strategies
- Monitor web server access logs for patterns of repeated POST requests to /helpabout
- Implement alerting on disk space utilization thresholds in diagnostic file storage locations
- Track session activity for Web Admin users to identify abnormal request frequencies
- Monitor system resource utilization for sustained elevated CPU and memory consumption
Monitoring Recommendations
- Configure log aggregation to capture and analyze Web Admin interface access patterns
- Establish baseline metrics for normal /helpabout endpoint usage and alert on deviations
- Implement real-time monitoring of storage volumes where troubleshooting files are generated
- Enable session-level request tracking for privileged administrative interfaces
How to Mitigate CVE-2026-2405
Immediate Actions Required
- Review and restrict Web Admin access to only essential personnel with verified operational need
- Implement network-level access controls to limit connectivity to the Web Admin interface
- Monitor for unusual request patterns to the /helpabout endpoint
- Consider temporarily disabling the troubleshooting file generation feature if not critical to operations
Patch Information
Schneider Electric has released a security notice addressing this vulnerability. Refer to the Schneider Electric Security Notice SEVD-2026-104-01 for detailed patch and remediation guidance specific to affected products and versions.
Workarounds
- Implement rate limiting at the web server or reverse proxy level for the /helpabout endpoint
- Configure automated cleanup of troubleshooting zip files to prevent disk exhaustion
- Restrict Web Admin interface access to trusted IP ranges or networks using firewall rules
- Enable additional authentication factors for Web Admin access to reduce attack surface
# Example: Rate limiting configuration for nginx reverse proxy
# Add to location block for /helpabout endpoint
limit_req_zone $binary_remote_addr zone=helpabout_limit:10m rate=1r/m;
location /helpabout {
limit_req zone=helpabout_limit burst=2 nodelay;
# Additional proxy configuration
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
