CVE-2026-22616

Medium

Published: 16 April 2026

Published

16 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Score 0.0002 5.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22616 is a medium-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Eaton Intelligent Power Protector. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

AC-7 enforces limits on unsuccessful logon attempts, directly addressing the insufficient rate-limiting that enables brute-force attacks on the IPP web interface login.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, such as patching to the fixed version of Eaton IPP, to eliminate the vulnerability before exploitation.

SC-5 Denial-of-service Protection partial match

prevent

SC-5 provides denial-of-service protections, including rate-limiting mechanisms at network or application boundaries, to mitigate brute-force authentication attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

Why these techniques?

Directly enables brute-force password guessing against a public web login due to missing rate limiting.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton…

download centre.

Deeper analysisAI

CVE-2026-22616 is a vulnerability in Eaton Intelligent Power Protector (IPP) software that enables repeated authentication attempts against the web interface login page due to insufficient rate-limiting controls. This issue, classified under CWE-307: Improper Restriction of Excessive Authentication Attempts, affects the IPP software's web interface and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). The vulnerability was published on 2026-04-16.

Remote attackers with network access can exploit this vulnerability without authentication privileges, user interaction, or high complexity. By conducting brute-force attacks on the login page, they may guess valid credentials, achieving limited impacts on confidentiality and integrity, such as unauthorized access to certain data or minor modifications, with no effect on availability.

Eaton has fixed this security issue in the latest version of IPP, which is available on the Eaton download centre. Additional details on the vulnerability and mitigation are outlined in Eaton's security bulletin at https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf.