CVE-2021-23281

CRITICAL

Eaton Intelligent Power Manager <1.69 - RCE

Title source: llm

Description

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to rouge SNMP server and execute attacker-controlled code.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf

Scores

CVSS v3 10.0

EPSS 0.0223

EPSS Percentile 80.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (1)

eaton/intelligent_power_manager < 1.69

Published Apr 13, 2021

Tracked Since Feb 18, 2026