CVE-2025-59886
Improper Input Validation in Eaton xComfort ECI Enables Privileged Command Execution
Publication date: 2025-12-23
Last updated on: 2026-02-18
Assigner: Eaton
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eaton | xcomfort_ethernet_communication_interface | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is due to improper input validation at one of the endpoints of Eaton xComfort ECI's web interface. It allows an attacker with network access to the device to execute privileged user commands.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could execute privileged commands on the device, potentially leading to full compromise of the device's functionality, data confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
Since Eaton has discontinued the xComfort ECI product and will no longer provide security updates or support, the immediate mitigation step is to retire or replace the affected devices to prevent exploitation. Additionally, restrict network access to the device to trusted users only, and monitor for any unusual privileged command executions.