Skip to main content

Ipp Software CVE-2026-22616

| EUVDEUVD-2026-23175 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-04-16 Eaton GHSA-xcvh-9j7m-6vw3
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 20:02 nvd
Patch available
Patch available
Apr 16, 2026 - 06:01 EUVD
Analysis Generated
Apr 16, 2026 - 05:17 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 05:00 euvd
EUVD-2026-23175
Analysis Generated
Apr 16, 2026 - 05:00 vuln.today
CVE Published
Apr 16, 2026 - 04:54 nvd
MEDIUM 6.5

DescriptionCVE.org

Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.

AnalysisAI

Eaton Intelligent Power Protector (IPP) software allows brute-force credential attacks against the web interface login page due to missing rate-limiting controls, enabling remote attackers to enumerate valid credentials and gain unauthorized access without authentication. CVSS 6.5 reflects moderate confidentiality and integrity impact via network access. Eaton has released a patched version available from their download center.

Technical ContextAI

CWE-307 (Improper Restriction of Excessive Authentication Attempts) identifies insufficient rate-limiting or account lockout mechanisms on web authentication endpoints. Eaton IPP is a power management and monitoring software suite for Uninterruptible Power Supply (UPS) systems; the vulnerable component is the web interface login handler. The absence of rate-limiting controls allows an attacker to submit unlimited authentication requests in rapid succession without throttling, timeout, or progressive delays-a critical oversight in any internet-exposed authentication service. The CPE indicates all versions of Eaton IPP software (cpe:2.3:a:eaton:ipp_software:*:*:*:*:*:*:*:*) are affected until patched.

RemediationAI

Upgrade Eaton IPP to the latest patched version available from the Eaton download center (exact version number to be confirmed from the security advisory etn-va-2025-1025.pdf). Immediately apply this update to all internet-exposed IPP instances. Until patching is complete, implement compensating controls: deploy a WAF (Web Application Firewall) or reverse proxy in front of the IPP web interface with strict rate-limiting rules (e.g., max 5 login attempts per IP per 15 minutes, with exponential backoff and temporary IP blocking after threshold breach). Restrict network access to the IPP web interface via network ACLs or firewall rules to only trusted management networks and disable direct internet exposure. Consider implementing RADIUS or LDAP integration with centralized authentication and account lockout policies if supported by IPP. These controls have minimal performance impact but significantly reduce brute-force viability.

Share

CVE-2026-22616 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy