CVE-2026-22615
XML Injection in Eaton IPP Allows Arbitrary Command Execution
Publication date: 2026-04-16
Last updated on: 2026-04-22
Assigner: Eaton
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eaton | intelligent_power_protector | to 2.00 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML components. An attacker who has administrative privileges and local system access can exploit this flaw to inject malicious code, which can lead to arbitrary command execution on the affected system.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with admin rights and local access to execute arbitrary commands on your system. This could lead to unauthorized actions such as modifying system settings, accessing sensitive data, or disrupting normal operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Eaton Intelligent Power Protector (IPP) software to the latest version available from the Eaton download centre where the security issue has been fixed.