Description
Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.
Published: 2026-04-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential compromise risk
Action: Apply patch
AI Analysis

Impact

Eaton Intelligent Power Protector (IPP) software permits repeated authentication attempts against its web interface login page because rate-limiting controls are inadequate. This flaw enables a brute-force approach that could allow an attacker to guess valid credentials and gain unauthorized access to the device’s configuration and monitoring functions.

Affected Systems

Eaton:IPP Software, specifically the Eaton Intelligent Power Protector product. All releases prior to the most recent update are affected; the issue was resolved in the latest version available from the Eaton download centre.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, but the EPSS metric is not available, so precise exploitation probability remains unknown. The vulnerability has not been reported in the CISA KEV catalog. The likely attack vector is the publicly accessible web interface, which, if exposed to the Internet or a wide internal network, gives an attacker significant opportunity to launch repeated login attempts. Due to the lack of rate limitation, a determined attacker could potentially discover valid credentials, leading to unauthorized control of the device.

Generated by OpenCVE AI on April 16, 2026 at 08:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Eaton IPP software update that resolves the rate-limiting issue.
  • Restrict network access to the IPP web interface to trusted IP ranges or implement firewall rules that limit exposure.
  • Enforce strong passwords and, if supported, enable two-factor authentication for IPP user accounts.

Generated by OpenCVE AI on April 16, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Title Repeated Authentication Attempts Due to Insufficient Rate‑Limiting in Eaton IPP Web Interface

Thu, 16 Apr 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Eaton
Eaton ipp Software
Vendors & Products Eaton
Eaton ipp Software

Thu, 16 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Eaton Ipp Software
cve-icon MITRE

Status: PUBLISHED

Assigner: Eaton

Published:

Updated: 2026-04-16T13:30:12.024Z

Reserved: 2026-01-08T04:55:11.728Z

Link: CVE-2026-22616

cve-icon Vulnrichment

Updated: 2026-04-16T13:30:06.472Z

cve-icon NVD

Status : Received

Published: 2026-04-16T05:16:14.563

Modified: 2026-04-16T05:16:14.563

Link: CVE-2026-22616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses