Eaton Intelligent Power Manager

Monitor5.2ICS-CERT ICSA-22-130-04May 10, 2022

Attack VectorAdjacent

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Eaton Intelligent Power Manager v1 (all versions prior to 1.70) contains a code injection vulnerability that could allow an attacker with administrative credentials to execute arbitrary code on the device. The vulnerability stems from improper handling of untrusted input data. No patch is available from the vendor for this end-of-life product.

What this means

What could happen

An attacker with administrative access to Intelligent Power Manager could execute arbitrary code on the device, potentially disrupting power monitoring and control operations in your facility.

Who's at risk

Electric utilities and facilities managers operating Eaton Intelligent Power Manager v1 for power distribution monitoring and control should prioritize this issue. The vulnerability affects unpatched versions used in energy infrastructure to monitor and manage electrical loads and systems.

How it could be exploited

An attacker with high-level privileges on the IPM system could inject untrusted data into the application to trigger code execution. This requires the attacker to already have administrative credentials or to have compromised an engineering workstation with those credentials.

Prerequisites

Administrative credentials for Intelligent Power Manager
Network access to the IPM interface or engineering workstation
IPM version 1.x prior to 1.70

no patch availablerequires high-level credentialsaffects power management systems

Exploitability

Low exploit probability (EPSS 1.0%)

Affected products (1)

ProductAffected VersionsFix Status

Intelligent Power Manager (IPM) v1: All< 1.70No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGReview and restrict user accounts with administrative privileges on IPM systems to only those who require them

HARDENINGMonitor administrative activity and login attempts to Intelligent Power Manager for unusual access patterns

Mitigations - no patch available

0/1

Intelligent Power Manager (IPM) v1: All has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to restrict administrative access to Intelligent Power Manager to authorized engineering workstations only

CVEs (1)

CVE-2021-23282

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8a4c89ac-78ee-433b-ba22-6dd4ba921ded