Power management solutions provider Eaton has released patches for its Intelligent Power Manager (IPM) software to address several potentially serious vulnerabilities, including ones that researchers say could allow hackers to disrupt power supply.
Eaton’s IPM solution is designed to ensure system uptime and data integrity by allowing organizations to remotely monitor, manage and control the uninterruptible power supply (UPS) devices on their network.
According to security advisories published this month by Eaton and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the IPM product is affected by six high-severity vulnerabilities that can be exploited for SQL injection, command execution, deleting arbitrary files, uploading arbitrary files, and remote code execution.
While some of the vulnerabilities can only be exploited by an authenticated attacker, others can be exploited without authentication, including for arbitrary code execution.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
Amir Preminger, VP of research at industrial cybersecurity firm Claroty, who has been credited by Eaton for reporting the six vulnerabilities, told SecurityWeek that the issues were identified in a web server interface of the IPM software that enables users to configure the product. This web server is typically accessible from the local network and is not hosted on public-facing servers.
“The goal of the Eaton IPM software is to enable users to manage their UPS system. By exploiting a server using this software, an attacker can disrupt the UPS operations and therefore disrupt the power supply to equipment that relies on the UPS as its power source,” Preminger explained.
He added, “The bottom line is that this product should be patched, since a few of the CVEs are pre-auth and could be exploited by adversaries without prior knowledge about the server setup.”
The security holes impact Eaton IPM and Intelligent Power Manager Virtual Appliance (IPM VA) running versions prior to 1.69, and Intelligent Power Protector (IPP) running versions prior to 1.68. Versions 1.69 and 1.68 address the vulnerabilities. Organizations can also block ports 4679 and 4680 to prevent exploitation.
Related: Nine Critical Flaws in FactoryTalk Product Pose Serious Risk to Industrial Firms
Related: Vulnerabilities Can Allow Attackers to Remotely Gain Control of Weintek HMIs
Related: Vulnerabilities in TBox RTUs Can Expose Industrial Organizations to Remote Attacks
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Latest News
- Burnout in Cybersecurity – Can it be Prevented?
- Spain Needs More Transparency Over Pegasus: EU Lawmakers
- Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
- Virtual Event Today: Supply Chain & Third-Party Risk Summit
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
