CVE-2018-12031

CRITICAL EXPLOITED NUCLEI

Eaton Intelligent Power Manager <1.6 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-12031 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including EmreOvunc. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a proof-of-concept for a Local File Inclusion (LFI) vulnerability in Eaton Intelligent Power Manager v1.6. The exploit leverages a path traversal attack via the 'firmware' parameter in a specific endpoint to disclose sensitive system files.

Description

Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via server/node_upgrade_srv.js directory traversal with the firmware parameter in a downloadFirmware action.

Exploits (1)

nomisec WORKING POC 4 stars
by EmreOvunc · infoleak
https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion

This repository provides a proof-of-concept for a Local File Inclusion (LFI) vulnerability in Eaton Intelligent Power Manager v1.6. The exploit leverages a path traversal attack via the 'firmware' parameter in a specific endpoint to disclose sensitive system files.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Eaton Intelligent Power Manager v1.6
No auth needed
Prerequisites: Network access to the target system · Target running Eaton Intelligent Power Manager v1.6
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Eaton Intelligent Power Manager 1.6 - Directory Traversal
CRITICALby daffainfo

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.1731
EPSS Percentile 96.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-11-26
CWE
CWE-22
Status published
Products (1)
eaton/intelligent_power_manager 1.6
Published Jun 07, 2018
Tracked Since Feb 18, 2026