Eaton has issued a critical security advisory warning users about multiple high-severity vulnerabilities in its UPS Companion software that could allow attackers to execute arbitrary code on affected systems.
The power management company released patches addressing two significant security flaws that pose substantial risks to organizations using the software for uninterruptible power supply management.
The security advisory, identified as ETN-VA-2025-1026, discloses two vulnerabilities with CVSS scores ranging from high to medium severity.
| CVE ID | CVSS v3.1 Score | Severity | Vulnerability Type |
|---|---|---|---|
| CVE-2025-59887 | 8.6 | High | Insecure Library Loading |
| CVE-2025-59888 | 6.7 | Medium | Improper Quotation |
The first vulnerability, tracked as CVE-2025-59887, carries a CVSS v3.1 base score of 8.6 and involves insecure library loading in the Eaton IPP software installer.
This flaw could enable an attacker who gains access to the software package to execute arbitrary code.
The vulnerability’s high severity stems from its potential to compromise confidentiality, integrity, and availability with minimal attack complexity.
The second flaw, CVE-2025-59888, scores 6.7 on the CVSS scale and affects the Eaton UPS Companion software due to improper quoting in search paths.
Attackers with file system access could exploit this weakness to perform arbitrary code execution, though it requires high-level privileges.
Both vulnerabilities target the local attack vector, meaning exploitation typically involves some level of access to the target system.
All versions of the Eaton UPS Companion software before 3.0 are affected by these security issues.
Eaton strongly recommends that customers immediately upgrade to version 3.0, which includes comprehensive patches for both vulnerabilities.
The company emphasizes downloading software exclusively from Eaton’s official distribution channels to prevent supply chain attacks.
For organizations unable to immediately apply patches, Eaton recommends several mitigation measures, including restricting access to host systems to authorized personnel only, implementing secure firewalls for control system networks, and ensuring software is sourced from official channels.
Eaton also advises deploying control systems behind barrier devices and isolating them from business networks to minimise exposure.
Eaton’s cybersecurity team urges administrators to implement security best practices, such as changing default passwords, enabling audit logs, disabling unused services, and conducting regular security assessments.
Organizations requiring additional support can contact Eaton’s cybersecurity services team or visit the company’s dedicated cybersecurity website for comprehensive guidance.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.