Description
A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
Published: 2026-04-16
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Web‑based attack potential due to an insecure HTTP response header
Action: Patch Now
AI Analysis

Impact

A misconfigured HTTP response header in Eaton Intelligent Power Protector (IPP) exposes users to web‑based attacks. The software sets an insecure attribute in the HTTP header, allowing attackers to manipulate browser behavior, such as clickjacking or other browser exploitation. This weakness is represented by CWE‑358, indicating improper handling of HTTP header values.

Affected Systems

Eaton Intelligent Power Protector, the industrial power management software that exposes a web interface. The advisory notes that the issue is fixed in the latest release available from Eaton’s download centre, but specific version numbers are not listed, so all Internet‑connected IPP deployments should be treated as potentially affected until the patch is applied.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity, and the lack of an EPSS score along with the absence from the CISA KEV catalog suggests that widespread exploitation is unlikely at present. Attackers would need remote access to the IPP’s web interface to exploit the header, making the risk moderate but non‑negligible. Organizations should assess whether the device is exposed to the public network and prioritize remediation accordingly.

Generated by OpenCVE AI on April 16, 2026 at 08:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Eaton Intelligent Power Protector to the latest version available from Eaton’s download centre, which removes the insecure header setting.
  • If an update cannot be applied immediately, configure the web server or reverse proxy to supply secure header values, such as setting X‑Frame‑Options to SAMEORIGIN or enforcing a Content‑Security‑Policy that prevents framing and content injection.
  • After remediation, monitor web access logs and run vulnerability scans to confirm that the header is correctly set and that no residual misconfiguration remains.

Generated by OpenCVE AI on April 16, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Eaton
Eaton ipp Software
Vendors & Products Eaton
Eaton ipp Software

Thu, 16 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
Weaknesses CWE-358
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N'}

Subscriptions

Eaton Ipp Software
cve-icon MITRE

Status: PUBLISHED

Assigner: Eaton

Published:

Updated: 2026-04-16T13:10:01.651Z

Reserved: 2026-01-08T04:55:11.730Z

Link: CVE-2026-22618

cve-icon Vulnrichment

Updated: 2026-04-16T13:09:56.818Z

cve-icon NVD

Status : Received

Published: 2026-04-16T06:16:10.297

Modified: 2026-04-16T06:16:10.297

Link: CVE-2026-22618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses