Severity by source
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
AnalysisAI
Eaton Intelligent Power Protector (IPP) software allows authenticated administrators with local system access to execute arbitrary commands via XML input validation bypass, requiring user interaction. The vulnerability impacts all versions of IPP software prior to the latest patched release available on Eaton's download center. CVSS score of 6.0 reflects high integrity and availability impact but is constrained by elevated privilege requirements and high attack complexity.
Technical ContextAI
The vulnerability stems from improper input validation (CWE-20) in Eaton IPP's XML processing functionality. CWE-20 encompasses insufficient input validation across protocols, file formats, and data structures - in this case, XML parsing is likely exploitable because the application fails to sanitize or validate XML entity content before processing it for command execution contexts. The affected CPE string (cpe:2.3:a:eaton:ipp_software:*:*:*:*:*:*:*:*) indicates all versions of Eaton's IPP software product line are in scope. The attack vector is network-accessible (AV:N), but exploitation requires high attack complexity (AC:H), high privileges (PR:H - administrator-level credentials), and user interaction (UI:R), suggesting the XML injection must be delivered through an authenticated session and requires an administrator to perform a specific action or open a crafted input.
RemediationAI
Update Eaton IPP software to the latest patched version available from the Eaton download center (reference Eaton security bulletin ETN-VA-2025-1025 for exact version designation). If immediate patching is not feasible, implement access controls restricting XML input submission to trusted sources and enforce principle of least privilege by auditing and removing unnecessary administrator accounts. Disable or restrict IPP's XML import/processing features if not required for operational needs, noting this may limit configuration backup/restore capabilities. Monitor administrator actions and XML processing logs for suspicious activity, particularly XML entities containing command execution patterns (shell metacharacters, script interpreters, or process execution keywords). These compensating controls have trade-offs: disabling XML processing impairs operational flexibility, and enhanced logging increases administrative overhead.
More in Ipp Software
View allArbitrary code execution in Eaton Intelligent Power Protector (IPP) software via insecure library loading allows local a
Eaton Intelligent Power Protector (IPP) software allows brute-force credential attacks against the web interface login p
Insecure HTTP response header configuration in Eaton Intelligent Power Protector (IPP) software enables attackers to per
Eaton Intelligent Power Protector (IPP) software uses insecure cookie configuration that allows network attackers to int
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23174
GHSA-w622-v92m-9f53