Cyber Resilience

CVE-2026-22618

Medium

Published: 16 April 2026

Published
16 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
EPSS Score 0.0001 1.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22618 is a medium-severity Improperly Implemented Security Check for Standard (CWE-358) vulnerability in Eaton Intelligent Power Protector. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22618 is a security misconfiguration vulnerability in Eaton Intelligent Power Protector (IPP) software, where an HTTP response header is set with an insecure attribute. This flaw potentially exposes users to web-based attacks and affects versions of Eaton IPP prior to the latest release. The vulnerability is rated with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N) and is associated with CWE-358.

Remote attackers with no privileges can exploit this vulnerability over the network, though it requires high attack complexity and user interaction. Successful exploitation enables limited confidentiality impact alongside high integrity impact, allowing attackers to potentially modify data in web-based attacks targeting affected IPP instances.

Eaton's security bulletin (ETN-VA-2025-1025) confirms the issue has been fixed in the latest version of IPP software, available for download from the Eaton download center. Security practitioners should update to the patched version to mitigate the risk.

EU & UK References

Vulnerability details

A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton…

more

IPP software which is available on the Eaton download centre.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Insecure HTTP header misconfiguration in public-facing IPP web interface directly enables web-based attacks against the exposed application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22615Same product: Eaton Intelligent Power Protector
CVE-2026-22619Same product: Eaton Intelligent Power Protector
CVE-2026-22616Same product: Eaton Intelligent Power Protector
CVE-2026-22617Same product: Eaton Intelligent Power Protector
CVE-2026-1486Shared CWE-358
CVE-2025-66603Shared CWE-358
CVE-2025-59886Same vendor: Eaton
CVE-2026-44473Shared CWE-358
CVE-2026-29103Shared CWE-358
CVE-2020-9295Shared CWE-358

Affected Assets

eaton
intelligent power protector
≤ 2.00

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

CM-6 directly addresses security misconfigurations by requiring establishment and enforcement of secure configuration settings, such as proper HTTP response headers in the Eaton IPP software.

prevent

SI-2 ensures timely identification, reporting, and application of software patches, mitigating this vulnerability by updating to the fixed version of Eaton IPP.

detect

RA-5 vulnerability monitoring and scanning can identify insecure HTTP response header configurations in public-facing IPP instances prior to exploitation.

References