{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22616", "assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "state": "PUBLISHED", "assignerShortName": "Eaton", "dateReserved": "2026-01-08T04:55:11.728Z", "datePublished": "2026-04-16T04:54:48.148Z", "dateUpdated": "2026-04-16T04:54:48.148Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "shortName": "Eaton", "dateUpdated": "2026-04-16T04:54:48.148Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-307", "description": "CWE-307 Improper restriction of excessive authentication attempts", "type": "CWE"}]}], "affected": [{"vendor": "Eaton", "product": "IPP Software", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Eaton\u00a0Intelligent Power Protector (IPP)\u00a0software\u00a0allows repeated authentication attempts against the web interface login page due to insufficient rate\u2011limiting controls.\u00a0This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Eaton&nbsp;<span>Intelligent Power Protector (IPP)</span><span>&nbsp;software</span><span>&nbsp;</span><span>allows repeated authentication attempts against the web interface login page due to insufficient rate\u2011limiting controls.&nbsp;</span><span>This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.</span></p>"}]}], "references": [{"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Eaton\u00a0Intelligent Power Protector (IPP)\u00a0software\u00a0allows repeated authentication attempts against the web interface login page due to insufficient rate\u2011limiting controls.\u00a0This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre."}], "id": "CVE-2026-22616", "lastModified": "2026-04-16T05:16:14.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}, "published": "2026-04-16T05:16:14.563", "references": [{"source": "CybersecurityCOE@eaton.com", "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"}], "sourceIdentifier": "CybersecurityCOE@eaton.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "IPP Software", "source": "cna", "vendor": "Eaton"}, "product": "ipp_software", "vendor": "eaton"}], "analysis": {"en": {"generated_at": "2026-04-16T08:57:55.135639+00:00", "value": {"mitigation_remediation": ["Apply the latest Eaton IPP software update that resolves the rate-limiting issue.", "Restrict network access to the IPP web interface to trusted IP ranges or implement firewall rules that limit exposure.", "Enforce strong passwords and, if supported, enable two-factor authentication for IPP user accounts."], "summary": {"action": "Apply patch", "impact": "Credential compromise risk"}, "threat_synthesis": {"affected_systems": "Eaton:IPP Software, specifically the Eaton Intelligent Power Protector product. All releases prior to the most recent update are affected; the issue was resolved in the latest version available from the Eaton download centre.", "description_and_impact": "Eaton Intelligent Power Protector (IPP) software permits repeated authentication attempts against its web interface login page because rate-limiting controls are inadequate. This flaw enables a brute-force approach that could allow an attacker to guess valid credentials and gain unauthorized access to the device\u2019s configuration and monitoring functions.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, but the EPSS metric is not available, so precise exploitation probability remains unknown. The vulnerability has not been reported in the CISA KEV catalog. The likely attack vector is the publicly accessible web interface, which, if exposed to the Internet or a wide internal network, gives an attacker significant opportunity to launch repeated login attempts. Due to the lack of rate limitation, a determined attacker could potentially discover valid credentials, leading to unauthorized control of the device."}}}}, "created": "2026-04-16T06:30:05.894200+00:00", "title": "Repeated Authentication Attempts Due to Insufficient Rate\u2011Limiting in Eaton IPP Web Interface", "updated": "2026-04-16T09:00:05.295207+00:00", "vendors": ["eaton", "eaton$PRODUCT$ipp_software"]}