VYPR

Vendor CVEs

Eaton

All CVEs

75 total · sorted by risk
  • CVE-2018-16158CriAug 30, 2018
    risk 0.69cvss 9.8epss 0.35

    Eaton Power Xpert Meter 4000, 6000, and 8000 devices before 13.4.0.10 have a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins (to uid 0) via the…

  • CVE-2018-12031CriJun 7, 2018
    risk 0.65cvss 9.8epss 0.17

    Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via server/node_upgrade_srv.js directory traversal with the firmware parameter in a downloadFirmware action.

  • CVE-2025-64310CriNov 21, 2025
    risk 0.64cvss 9.8epss 0.00

    EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack.

  • CVE-2018-8847CriJul 13, 2018
    risk 0.64cvss 9.8epss 0.07

    Eaton 9000X DriveA versions 2.0.29 and prior has a stack-based buffer overflow vulnerability, which may allow remote code execution.

  • CVE-2024-57811CriJan 13, 2025
    risk 0.59cvss 9.1epss 0.00

    In Eaton X303 3.5.16 - X303 3.5.17 Build 712, an attacker with network access to a XC-303 PLC can login as root over SSH. The root password is hardcoded in the firmware. NOTE: This vulnerability appears in versions that are no longer supported by Eaton.

  • CVE-2025-59889HigOct 14, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper authentication of library files in the Eaton IPP software installer could lead to arbitrary code execution of an attacker with the access to the software package.  This security issue has been fixed in the latest version of IPP which is available on the Eaton download…

  • CVE-2025-22495HigFeb 24, 2025
    risk 0.55cvss 8.4epss 0.00

    An improper input validation vulnerability was discovered in the NTP server configuration field of the Network-M2 card. This could result in an authenticated high privileged user having the ability to execute arbitrary commands. The vulnerability has been resolved in the version…

  • CVE-2025-48396HigNov 3, 2025
    risk 0.54cvss 8.3epss 0.00

    Arbitrary code execution is possible due to improper validation of the file upload functionality in Eaton BLSS. This security issue has been fixed in the latest script patch latest version of of Eaton BLSS (7.3.0.SCP004).

  • CVE-2026-22619HigApr 16, 2026
    risk 0.51cvss 7.8epss 0.00

    Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest version of Eaton IPP software…

  • CVE-2016-9368HigMar 14, 2017
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Eaton xComfort Ethernet Communication Interface (ECI) Versions 1.07 and prior. By accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access files without authenticating.

  • CVE-2016-2272HigApr 6, 2016
    risk 0.49cvss 7.5epss 0.01

    Eaton Lighting EG2 Web Control 4.04P and earlier allows remote attackers to have an unspecified impact via a modified cookie.

  • CVE-2016-0871HigApr 6, 2016
    risk 0.49cvss 7.5epss 0.02

    Eaton Lighting EG2 Web Control 4.04P and earlier allows remote attackers to read the configuration file, and consequently discover credentials, via a direct request.

  • CVE-2016-4512HigJul 3, 2016
    risk 0.48cvss 7.3epss 0.04

    Stack-based buffer overflow in ELCSimulator in Eaton ELCSoft 2.4.01 and earlier allows remote attackers to execute arbitrary code via a long packet.

  • CVE-2025-59890HigNov 27, 2025
    risk 0.47cvss 7.3epss 0.00

    Improper input sanitization in the file archives upload functionality of Eaton Galileo software allows traversing paths which could lead into an attacker with local access to execute unauthorized code or commands. This security issue has been fixed in the latest version of…

  • CVE-2025-48397HigNov 3, 2025
    risk 0.46cvss 7.1epss 0.00

    The privileged user could log in without sufficient credentials after enabling an application protocol. This security issue has been fixed in the latest script patch latest version of of Eaton BLSS (7.3.0.SCP004).

  • CVE-2025-22491MedFeb 28, 2025
    risk 0.44cvss 6.7epss 0.00

    The user input was not sanitized on Reporting Hierarchy Management page of Foreseer Reporting Software (FRS) application which could lead into execution of arbitrary JavaScript in a browser context for all the interacting users. This security issue has been patched in the latest…

  • CVE-2022-33862MedNov 25, 2024
    risk 0.44cvss 6.7epss 0.00

    IPP software prior to v1.71 is vulnerable to default credential vulnerability. This could lead attackers to identify and access vulnerable systems.

  • CVE-2026-22616MedApr 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton…

  • CVE-2026-22614MedMar 10, 2026
    risk 0.40cvss 6.1epss 0.00

    The encryption mechanism used in Eaton's EasySoft project file was insecure and susceptible to brute force attacks, an attacker with access to this file and the local host machine could potentially read the sensitive information stored and tamper with the project file. This…

  • CVE-2026-22615MedApr 16, 2026
    risk 0.39cvss 6.0epss 0.00

    Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed…

  • CVE-2016-4509MedJul 3, 2016
    risk 0.39cvss 6.0epss 0.02

    Heap-based buffer overflow in elcsoft.exe in Eaton ELCSoft 2.4.01 and earlier allows remote authenticated users to execute arbitrary code via a crafted file.

  • CVE-2026-22618MedApr 16, 2026
    risk 0.38cvss 5.9epss 0.00

    A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP…

  • CVE-2026-22617MedApr 16, 2026
    risk 0.37cvss 5.7epss 0.00

    Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP…

  • CVE-2026-22613MedFeb 9, 2026
    risk 0.37cvss 5.7epss 0.00

    The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton Network M3 which…

  • CVE-2025-48393MedAug 6, 2025
    risk 0.37cvss 5.7epss 0.00

    The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton G4 PDU which is…

  • CVE-2025-22493MedMar 5, 2025
    risk 0.36cvss 5.6epss 0.00

    Secure flag not set and SameSIte was set to Lax in the Foreseer Reporting Software (FRS). Absence of this secure flag could lead into the session cookie being transmitted over unencrypted HTTP connections. This security issue has been resolved in the latest version of FRS…

  • CVE-2018-7511MedMar 20, 2018
    risk 0.35cvss 5.3epss 0.02

    In Eaton ELCSoft versions 2.04.02 and prior, there are multiple cases where specially crafted files could cause a buffer overflow which, in turn, may allow remote execution of arbitrary code.

  • CVE-2016-9357MedFeb 13, 2017
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in certain legacy Eaton ePDUs -- the affected products are past end-of-life (EoL) and no longer supported: EAMxxx prior to June 30, 2015, EMAxxx prior to January 31, 2014, EAMAxx prior to January 31, 2014, EMAAxx prior to January 31, 2014, and ESWAxx…

  • CVE-2015-6471MedDec 23, 2015
    risk 0.35cvss 5.3epss 0.01

    Eaton Cooper Power Systems ProView 4.x and 5.x before 5.1 on Form 6 controls and Idea and IdeaPLUS relays does not properly initialize padding fields in Ethernet packets, which allows remote attackers to obtain sensitive information by reading packet data.

  • CVE-2021-23282MedNov 25, 2024
    risk 0.34cvss 5.2epss 0.08

    Eaton Intelligent Power Manager (IPM) prior to 1.70 is vulnerable to stored Cross site scripting. The vulnerability exists due to insufficient validation of input from certain resources by the IPM software. The attacker would need access to the local Subnet and an administrator…

  • CVE-2022-33861MedNov 25, 2024
    risk 0.33cvss 5.1epss 0.00

    IPP software versions prior to v1.71 do not sufficiently verify the authenticity of data, in a way that causes it to accept invalid data.

  • CVE-2025-48395MedSep 5, 2025
    risk 0.31cvss 4.7epss 0.00

    An attacker with authenticated and privileged access could modify the contents of a non-sensitive file by traversing the path in the limited shell of the CLI. This security issue has been fixed in the latest version of NMC G2 which is available on the Eaton download center.

  • CVE-2025-67450Dec 26, 2025
    risk 0.00cvss epss 0.00

    Due to insecure library loading in the Eaton UPS Companion software executable, an attacker with access to the software package could perform arbitrary code execution . This security issue has been fixed in the latest version of EUC which is available on the Eaton download…

  • CVE-2025-59888Dec 26, 2025
    risk 0.00cvss epss 0.00

    Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the file system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download…

  • CVE-2025-59887Dec 26, 2025
    risk 0.00cvss epss 0.00

    Improper authentication of library files in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version of EUC which is available on the Eaton…

  • CVE-2025-59886Dec 23, 2025
    risk 0.00cvss epss 0.00

    Improper input validation at one of the endpoints of Eaton xComfort ECI's web interface, could lead into an attacker with network access to the device executing privileged user commands. As cybersecurity standards continue to evolve and to meet our requirements today, Eaton…

  • CVE-2024-28952Nov 13, 2024
    risk 0.00cvss epss 0.00

    Uncontrolled search path for some Intel(R) IPP software for Windows before version 2021.12.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

  • CVE-2024-31416Sep 13, 2024
    risk 0.00cvss epss 0.00

    The Eaton Foreseer software provides multiple customizable input fields for the users to configure parameters in the tool like alarms, reports, etc. Some of these input fields were not checking the length and bounds of the entered value. The exploit of this security flaw by a…

  • CVE-2024-31415Sep 13, 2024
    risk 0.00cvss epss 0.00

    The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used…

  • CVE-2024-31414Sep 13, 2024
    risk 0.00cvss epss 0.00

    The Eaton Foreseer software provides users the capability to customize the dashboard in WebView pages. However, the input fields for this feature in the Eaton Foreseer software lacked proper input sanitization on the server-side, which could lead to injection and execution of…

  • CVE-2024-28887Aug 14, 2024
    risk 0.00cvss epss 0.00

    Uncontrolled search path in some Intel(R) IPP software before version 2021.11 may allow an authenticated user to potentially enable escalation of privilege via local access.

  • CVE-2023-43777Oct 17, 2023
    risk 0.00cvss epss 0.00

    Eaton easySoft software is used to program easy controllers and displays for configuring, programming and defining parameters for all the intelligent relays. This software has a password protection functionality to secure the project file from unauthorized access. This password…

  • CVE-2023-43776Oct 17, 2023
    risk 0.00cvss epss 0.00

    Eaton easyE4 PLC offers a device password protection functionality to facilitate a secure connection and prevent unauthorized access. It was observed that the device password was stored with a weak encoding algorithm in the easyE4 program file when exported to SD card (*.PRG…

  • CVE-2023-43775Sep 26, 2023
    risk 0.00cvss epss 0.01

    Denial-of-service vulnerability in the web server of the Eaton SMP Gateway allows attacker to potentially force an unexpected restart of the automation platform, impacting the availability of the product. In rare situations, the issue could cause the SMP device to restart in…

  • CVE-2022-33859Oct 28, 2022
    risk 0.00cvss epss 0.00

    A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation’s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may…

  • CVE-2021-23283Apr 19, 2022
    risk 0.00cvss epss 0.01

    Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting. The vulnerability exists due to insufficient validation of user input and improper encoding of the output for certain resources within the IPP software.

  • CVE-2021-23286Apr 18, 2022
    risk 0.00cvss epss 0.00

    Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior…

  • CVE-2021-23284Apr 18, 2022
    risk 0.00cvss epss 0.00

    Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to Stored Cross-site Scripting vulnerability. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version…

  • CVE-2021-23285Apr 18, 2022
    risk 0.00cvss epss 0.00

    Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to reflected Cross-site Scripting vulnerability. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version…

  • CVE-2021-23288Apr 1, 2022
    risk 0.00cvss epss 0.00

    The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. The attacker would need access to the local Subnet and an administrator interaction to compromise the system. This issue affects: Intelligent Power Protector versions…

Page 1 of 2