Cyber Resilience

CVE-2025-59886

High

Published: 23 December 2025

Published
23 December 2025
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 19.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59886 is a high-severity Improper Input Validation (CWE-20) vulnerability in Eaton Xcomfort Ethernet Communication Interface. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-59886 is an improper input validation vulnerability (CWE-20) affecting one of the endpoints in the web interface of Eaton xComfort ECI, a networked device. Rated at CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it stems from inadequate validation of inputs, enabling unauthorized command execution. The vulnerability was published on 2025-12-23.

An attacker with network access to the affected Eaton xComfort ECI device and low privileges (PR:L) can exploit this vulnerability without user interaction. Successful exploitation allows the execution of privileged user commands, potentially resulting in high-impact compromise of confidentiality, integrity, and availability.

Eaton's security bulletin (ETN-VA-2025-1022) advises that the xComfort ECI product has been discontinued to align with evolving cybersecurity standards. No patches, security updates, non-security updates, paid support, or technical content updates will be provided post-retirement.

Security practitioners should prioritize isolating or retiring affected xComfort ECI devices from networks, as no mitigations beyond discontinuation are available.

EU & UK References

Vulnerability details

Improper input validation at one of the endpoints of Eaton xComfort ECI's web interface, could lead into an attacker with network access to the device executing privileged user commands. As cybersecurity standards continue to evolve and to meet our requirements…

more

today, Eaton has decided to discontinue the product. Upon retirement or end of support, there will be no new security updates, non-security updates, or paid assisted support options, or online technical content updates.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability in public-facing web interface enables remote exploitation for unauthorized privileged command execution (T1190: Exploit Public-Facing Application; T1068: Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22615Same vendor: Eaton
CVE-2025-40836Shared CWE-20
CVE-2025-30213Shared CWE-20
CVE-2026-2750Shared CWE-20
CVE-2026-22618Same vendor: Eaton
CVE-2025-27494Shared CWE-20
CVE-2026-4342Shared CWE-20
CVE-2025-15566Shared CWE-20
CVE-2026-24505Shared CWE-20
CVE-2025-1098Shared CWE-20

Affected Assets

eaton
xcomfort ethernet communication interface
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires implementation of input validation at web interface endpoints to prevent exploitation of the improper input validation vulnerability (CWE-20).

prevent

Prohibits the use of discontinued and unsupported components like Eaton xComfort ECI, preventing exposure to unpatchable vulnerabilities.

prevent

Mandates identification and remediation of flaws like this command execution vulnerability through isolation or retirement of affected EOL devices.

References