CVE-2021-23281

Summary

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to rouge SNMP server and execute attacker-controlled code.

Affected Software

VendorProductVersion RangeStatus
EatonIntelligent Power manager (IPM)unspecified < 1.69affected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

Workarounds

To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 & 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used

ADP Enrichment

CVE Program Container

Additional References

References