Eaton Intelligent Power Manager

Plan Patch8.7ICS-CERT ICSA-21-110-06Apr 20, 2021

Attack VectorAdjacent

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Eaton Intelligent Power Manager and related products contain multiple vulnerabilities (CWE-89 SQL injection, CWE-95 improper neutralization, CWE-20 improper input validation, CWE-434 unrestricted file upload, CWE-94 improper control of generation of code) that allow attackers to change settings, upload code, delete files, or execute commands on the power management system.

What this means

What could happen

An attacker with network access and valid credentials could execute arbitrary commands on power management systems, potentially disrupting power monitoring and control for electrical infrastructure or data center operations.

Who's at risk

Energy sector organizations operating Eaton Intelligent Power Manager systems, including power distribution facilities, electrical utilities, data centers, and industrial sites that rely on IPP, IPM, or IPM VA for power monitoring and management. Any facility with these products in active use for UPS, PDU, or power management oversight is affected.

How it could be exploited

An authenticated attacker on the network could inject SQL commands, upload malicious files, or directly execute code through one of the identified input validation or code generation flaws. The attack requires valid user credentials and network connectivity to the affected application.

Prerequisites

Valid user credentials for Intelligent Power Manager, IPP, or IPM VA
Network access to the affected application (local network or VPN)
Knowledge of vulnerable input vectors (SQL injection, file upload, code execution endpoints)

no patch availableaffects critical power management infrastructurerequires valid credentials but credentials often shared or reusedmultiple vulnerability types increase attack surface

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (3)

3 with fix3 EOL

ProductAffected VersionsFix Status

Intelligent Power Protector (IPP) : All< 1.681.68

Intelligent Power Manager (IPM): All< 1.691.69

Intelligent Power Manager Virtual Appliance (IPM VA): All< 1.691.69

Remediation & Mitigation

0/6

Do now

0/4

Intelligent Power Protector (IPP) : All

HARDENINGEnforce strong password policies and multi-factor authentication for all user accounts with access to IPP, IPM, or IPM VA

All products

HARDENINGIsolate Intelligent Power Manager systems on a restricted network segment; implement firewall rules to limit access to known administrative IPs only

HARDENINGMonitor authentication logs and application activity for unauthorized access attempts, SQL injection patterns, or unusual file uploads

WORKAROUNDReview and disable unnecessary features or input fields that are not required for operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDImplement input validation rules at the firewall or WAF level to block SQL injection and script injection attempts targeting the application

HOTFIXPlan upgrade path to Intelligent Power Manager version 1.69 or later, Intelligent Power Protector version 1.68 or later when available and after testing in non-production environment

CVEs (6)

CVE-2021-23276 CVE-2021-23277 CVE-2021-23278 CVE-2021-23279 CVE-2021-23280 CVE-2021-23281

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/08b97a26-90ad-4fde-9a37-3433974338de