Skip to main content

Ipp Software EUVDEUVD-2026-23174

| CVE-2026-22615 MEDIUM
Improper Input Validation (CWE-20)
2026-04-16 Eaton GHSA-w622-v92m-9f53
6.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 20:03 nvd
Patch available
Patch available
Apr 16, 2026 - 06:01 EUVD
Analysis Generated
Apr 16, 2026 - 05:17 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 05:00 euvd
EUVD-2026-23174
Analysis Generated
Apr 16, 2026 - 05:00 vuln.today
CVE Published
Apr 16, 2026 - 04:45 nvd
MEDIUM 6.0

DescriptionCVE.org

Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.

AnalysisAI

Eaton Intelligent Power Protector (IPP) software allows authenticated administrators with local system access to execute arbitrary commands via XML input validation bypass, requiring user interaction. The vulnerability impacts all versions of IPP software prior to the latest patched release available on Eaton's download center. CVSS score of 6.0 reflects high integrity and availability impact but is constrained by elevated privilege requirements and high attack complexity.

Technical ContextAI

The vulnerability stems from improper input validation (CWE-20) in Eaton IPP's XML processing functionality. CWE-20 encompasses insufficient input validation across protocols, file formats, and data structures - in this case, XML parsing is likely exploitable because the application fails to sanitize or validate XML entity content before processing it for command execution contexts. The affected CPE string (cpe:2.3:a:eaton:ipp_software:*:*:*:*:*:*:*:*) indicates all versions of Eaton's IPP software product line are in scope. The attack vector is network-accessible (AV:N), but exploitation requires high attack complexity (AC:H), high privileges (PR:H - administrator-level credentials), and user interaction (UI:R), suggesting the XML injection must be delivered through an authenticated session and requires an administrator to perform a specific action or open a crafted input.

RemediationAI

Update Eaton IPP software to the latest patched version available from the Eaton download center (reference Eaton security bulletin ETN-VA-2025-1025 for exact version designation). If immediate patching is not feasible, implement access controls restricting XML input submission to trusted sources and enforce principle of least privilege by auditing and removing unnecessary administrator accounts. Disable or restrict IPP's XML import/processing features if not required for operational needs, noting this may limit configuration backup/restore capabilities. Monitor administrator actions and XML processing logs for suspicious activity, particularly XML entities containing command execution patterns (shell metacharacters, script interpreters, or process execution keywords). These compensating controls have trade-offs: disabling XML processing impairs operational flexibility, and enhanced logging increases administrative overhead.

Share

EUVD-2026-23174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy