Skip to main content

Ipp Software EUVDEUVD-2026-23177

| CVE-2026-22618 MEDIUM
Improperly Implemented Security Check for Standard (CWE-358)
2026-04-16 Eaton GHSA-9ghh-rh79-4vmr
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 20:01 nvd
Patch available
Patch available
Apr 16, 2026 - 06:01 EUVD
Analysis Generated
Apr 16, 2026 - 05:59 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 05:45 euvd
EUVD-2026-23177
Analysis Generated
Apr 16, 2026 - 05:45 vuln.today
CVE Published
Apr 16, 2026 - 05:11 nvd
MEDIUM 5.9

DescriptionCVE.org

A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.

AnalysisAI

Insecure HTTP response header configuration in Eaton Intelligent Power Protector (IPP) software enables attackers to perform web-based attacks including information disclosure and content modification. The vulnerability requires network access, unusual attack complexity, and user interaction (CVSS AV:N/AC:H/PR:N/UI:R), affecting all versions of IPP software prior to the patched release. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

HTTP response headers are critical security controls that instruct browsers on how to handle content and enforce policies. The vulnerability stems from CWE-358 (Improperly Implemented Security Check for Standard), where an HTTP response header is misconfigured with insecure attributes. This likely relates to headers such as Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, or Strict-Transport-Security being absent, improperly set, or allowing unsafe directives. Eaton IPP is a power management and UPS monitoring platform that delivers web-based administrative interfaces; misconfigured security headers in such interfaces expose administrators and users to clickjacking, MIME-sniffing, XSS amplification, and protocol downgrade attacks. The affected product is identified by CPE cpe:2.3:a:eaton:ipp_software:*:*:*:*:*:*:*:* indicating all versions of IPP software are affected until a patched version is released.

RemediationAI

Download and install the patched version of Eaton IPP software from the Eaton download center as described in security bulletin etn-va-2025-1025.pdf. The patch corrects the misconfigured HTTP response headers to enforce secure directives. Pending patch deployment, administrators should restrict access to the IPP web interface to trusted networks only via firewall rules or VPN, disable unnecessary administrative access, and educate users not to click on untrusted links while authenticated to IPP sessions. Implement a Web Application Firewall (WAF) rule to add missing security headers (Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security) if upstream of the IPP application, though this is a compensating control and not a substitute for the vendor patch. Monitor IPP access logs for signs of header-based attacks such as unusual framing attempts or MIME-type mismatches. The side effect of restricting network access is potential operational inconvenience if remote administration is required; WAF headers may impact legitimate functionality if IPP relies on specific content behaviors.

Share

EUVD-2026-23177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy