Description
Due to improper
input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is
possible for an attacker with admin privileges and access to the local system to
inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
Published: 2026-04-16
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Command Execution
Action: Apply Patch
AI Analysis

Impact

This vulnerability stems from insufficient input validation in the XML used by Eaton Intelligent Power Protector. An attacker who has administrative privileges and can reach the local system can inject malicious content that is executed as system commands. The impact is that the attacker can perform arbitrary actions with the same rights as the local administrator, potentially compromising system integrity and confidentiality.

Affected Systems

The affected product is Eaton Intelligent Power Protector (IPP). No version details are specified, but the issue has been fixed in the most recent release available from Eaton’s download centre.

Risk and Exploitability

The CVSS score of 6 indicates moderate severity, and an EPSS score is not listed, suggesting no publicly known exploitation data. The flaw is not in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires local administrator access, so it is not a remote threat but would allow a privileged user to execute arbitrary commands. The risk is moderate for environments where administrators have unchecked local access to IoT or embedded devices.

Generated by OpenCVE AI on April 16, 2026 at 08:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Eaton IPP to the latest software release that contains the fix
  • Ensure that only trusted administrators have local admin rights on the device
  • Implement network segmentation and monitoring to detect unauthorized command execution attempts

Generated by OpenCVE AI on April 16, 2026 at 08:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Eaton
Eaton ipp Software
Vendors & Products Eaton
Eaton ipp Software

Thu, 16 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H'}

Subscriptions

Eaton Ipp Software
cve-icon MITRE

Status: PUBLISHED

Assigner: Eaton

Published:

Updated: 2026-04-16T12:59:58.829Z

Reserved: 2026-01-08T04:55:11.728Z

Link: CVE-2026-22615

cve-icon Vulnrichment

Updated: 2026-04-16T12:59:56.130Z

cve-icon NVD

Status : Received

Published: 2026-04-16T05:16:14.433

Modified: 2026-04-16T05:16:14.433

Link: CVE-2026-22615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses