CVE-2026-22618

Medium

Published: 16 April 2026

Published

16 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

EPSS Score 0.0001 1.3th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22618 is a medium-severity Improperly Implemented Security Check for Standard (CWE-358) vulnerability in Eaton Intelligent Power Protector. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match

prevent

CM-6 directly addresses security misconfigurations by requiring establishment and enforcement of secure configuration settings, such as proper HTTP response headers in the Eaton IPP software.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely identification, reporting, and application of software patches, mitigating this vulnerability by updating to the fixed version of Eaton IPP.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

RA-5 vulnerability monitoring and scanning can identify insecure HTTP response header configurations in public-facing IPP instances prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Insecure HTTP header misconfiguration in public-facing IPP web interface directly enables web-based attacks against the exposed application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton…

IPP software which is available on the Eaton download centre.

Deeper analysisAI

CVE-2026-22618 is a security misconfiguration vulnerability in Eaton Intelligent Power Protector (IPP) software, where an HTTP response header is set with an insecure attribute. This flaw potentially exposes users to web-based attacks and affects versions of Eaton IPP prior to the latest release. The vulnerability is rated with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N) and is associated with CWE-358.

Remote attackers with no privileges can exploit this vulnerability over the network, though it requires high attack complexity and user interaction. Successful exploitation enables limited confidentiality impact alongside high integrity impact, allowing attackers to potentially modify data in web-based attacks targeting affected IPP instances.

Eaton's security bulletin (ETN-VA-2025-1025) confirms the issue has been fixed in the latest version of IPP software, available for download from the Eaton download center. Security practitioners should update to the patched version to mitigate the risk.