Skip to main content

Ipp Software CVE-2026-22619

| EUVDEUVD-2026-23178 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-04-16 Eaton GHSA-w3cg-4gfc-vw5x
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 22, 2026 - 20:00 nvd
Patch available
Re-analysis Queued
Apr 16, 2026 - 06:37 vuln.today
cvss_changed
Patch available
Apr 16, 2026 - 06:01 EUVD
Analysis Generated
Apr 16, 2026 - 05:59 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 05:45 euvd
EUVD-2026-23178
Analysis Generated
Apr 16, 2026 - 05:45 vuln.today
CVE Published
Apr 16, 2026 - 05:26 nvd
HIGH 7.8

DescriptionCVE.org

Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center.

AnalysisAI

Arbitrary code execution in Eaton Intelligent Power Protector (IPP) software via insecure library loading allows local authenticated attackers with low privileges to execute code with elevated integrity impact across security boundaries. Attack complexity is high, requiring the attacker to have access to the software package installation files. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis. Eaton has released a patched version available through their download center.

Technical ContextAI

This vulnerability exploits insecure library loading, commonly known as DLL hijacking or binary planting on Windows systems. When the IPP executable launches, it searches for required libraries in an insecure manner-typically checking the application directory or current working directory before system paths. An attacker with access to the software package can place a malicious library in a location where the IPP executable will load it during initialization. The CVSS vector indicates scope change (S:C), meaning successful exploitation allows the attacker to impact resources beyond the vulnerable component's security scope, likely escalating from a low-privileged user context to system-level execution. The affected product is identified by CPE cpe:2.3:a:eaton:ipp_software, though specific vulnerable version ranges are not provided in available data.

RemediationAI

Upgrade to the latest version of Eaton Intelligent Power Protector software available from the Eaton download center, as confirmed by security bulletin ETN-VA-2025-1025 at https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf. The exact fixed version number is not specified in available data; consult the bulletin directly for version-specific guidance. If immediate patching is not feasible, implement compensating controls: restrict file system permissions on the IPP installation directory to prevent unauthorized users from placing malicious libraries (requires admin rights to modify ACLs, may complicate legitimate software updates); deploy application whitelisting to prevent execution of unsigned DLLs from the IPP directory (may require tuning to avoid blocking legitimate IPP components); monitor for suspicious DLL loads using EDR solutions configured to alert on library loading from non-standard paths (generates operational overhead for security teams). These mitigations reduce but do not eliminate risk, as they depend on correct configuration and may be bypassed by attackers with sufficient privileges. Patching remains the definitive remediation.

Share

CVE-2026-22619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy