Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
6DescriptionCVE.org
Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.
AnalysisAI
Eaton Intelligent Power Protector (IPP) software allows brute-force credential attacks against the web interface login page due to missing rate-limiting controls, enabling remote attackers to enumerate valid credentials and gain unauthorized access without authentication. CVSS 6.5 reflects moderate confidentiality and integrity impact via network access. Eaton has released a patched version available from their download center.
Technical ContextAI
CWE-307 (Improper Restriction of Excessive Authentication Attempts) identifies insufficient rate-limiting or account lockout mechanisms on web authentication endpoints. Eaton IPP is a power management and monitoring software suite for Uninterruptible Power Supply (UPS) systems; the vulnerable component is the web interface login handler. The absence of rate-limiting controls allows an attacker to submit unlimited authentication requests in rapid succession without throttling, timeout, or progressive delays-a critical oversight in any internet-exposed authentication service. The CPE indicates all versions of Eaton IPP software (cpe:2.3:a:eaton:ipp_software:*:*:*:*:*:*:*:*) are affected until patched.
RemediationAI
Upgrade Eaton IPP to the latest patched version available from the Eaton download center (exact version number to be confirmed from the security advisory etn-va-2025-1025.pdf). Immediately apply this update to all internet-exposed IPP instances. Until patching is complete, implement compensating controls: deploy a WAF (Web Application Firewall) or reverse proxy in front of the IPP web interface with strict rate-limiting rules (e.g., max 5 login attempts per IP per 15 minutes, with exponential backoff and temporary IP blocking after threshold breach). Restrict network access to the IPP web interface via network ACLs or firewall rules to only trusted management networks and disable direct internet exposure. Consider implementing RADIUS or LDAP integration with centralized authentication and account lockout policies if supported by IPP. These controls have minimal performance impact but significantly reduce brute-force viability.
More in Ipp Software
View allArbitrary code execution in Eaton Intelligent Power Protector (IPP) software via insecure library loading allows local a
Eaton Intelligent Power Protector (IPP) software allows authenticated administrators with local system access to execute
Insecure HTTP response header configuration in Eaton Intelligent Power Protector (IPP) software enables attackers to per
Eaton Intelligent Power Protector (IPP) software uses insecure cookie configuration that allows network attackers to int
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23175
GHSA-xcvh-9j7m-6vw3