{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22618", "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "state": "PUBLISHED", "assignerShortName": "Eaton", "dateReserved": "2026-01-08T04:55:11.730Z", "datePublished": "2026-04-16T05:11:06.548Z", "dateUpdated": "2026-04-16T05:11:06.548Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "shortName": "Eaton", "dateUpdated": "2026-04-16T05:11:06.548Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-358", "description": "CWE-358 Improperly implemented security check for standard", "type": "CWE"}]}], "affected": [{"vendor": "Eaton", "product": "IPP software", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web\u2011based attacks.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web\u2011based attacks.&nbsp;<span>This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.</span></div>"}]}], "references": [{"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web\u2011based attacks.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre."}], "id": "CVE-2026-22618", "lastModified": "2026-04-16T06:16:10.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}, "published": "2026-04-16T06:16:10.297", "references": [{"source": "CybersecurityCOE@eaton.com", "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"}], "sourceIdentifier": "CybersecurityCOE@eaton.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-358"}], "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "IPP software", "source": "cna", "vendor": "Eaton"}, "product": "ipp_software", "vendor": "eaton"}], "analysis": {"en": {"generated_at": "2026-04-16T08:57:17.718259+00:00", "value": {"mitigation_remediation": ["Update Eaton Intelligent Power Protector to the latest version available from Eaton\u2019s download centre, which removes the insecure header setting.", "If an update cannot be applied immediately, configure the web server or reverse proxy to supply secure header values, such as setting X\u2011Frame\u2011Options to SAMEORIGIN or enforcing a Content\u2011Security\u2011Policy that prevents framing and content injection.", "After remediation, monitor web access logs and run vulnerability scans to confirm that the header is correctly set and that no residual misconfiguration remains."], "summary": {"action": "Patch Now", "impact": "Web\u2011based attack potential due to an insecure HTTP response header"}, "threat_synthesis": {"affected_systems": "Eaton Intelligent Power Protector, the industrial power management software that exposes a web interface. The advisory notes that the issue is fixed in the latest release available from Eaton\u2019s download centre, but specific version numbers are not listed, so all Internet\u2011connected IPP deployments should be treated as potentially affected until the patch is applied.", "description_and_impact": "A misconfigured HTTP response header in Eaton Intelligent Power Protector (IPP) exposes users to web\u2011based attacks. The software sets an insecure attribute in the HTTP header, allowing attackers to manipulate browser behavior, such as clickjacking or other browser exploitation. This weakness is represented by CWE\u2011358, indicating improper handling of HTTP header values.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a moderate severity, and the lack of an EPSS score along with the absence from the CISA KEV catalog suggests that widespread exploitation is unlikely at present. Attackers would need remote access to the IPP\u2019s web interface to exploit the header, making the risk moderate but non\u2011negligible. Organizations should assess whether the device is exposed to the public network and prioritize remediation accordingly."}}}}, "created": "2026-04-16T06:30:05.893883+00:00", "updated": "2026-04-16T09:00:05.294102+00:00", "vendors": ["eaton", "eaton$PRODUCT$ipp_software"]}