Critical Vulnerabilities in Eaton UPS Companion Software Expose Systems to Arbitrary Code Execution
Eaton has issued a critical security advisory, identified as ETN-VA-2025-1026, addressing multiple vulnerabilities in its UPS Companion (EUC) software. These flaws, if exploited, could allow attackers to execute arbitrary code on the host system, potentially granting them complete control over affected devices.
Vulnerability Overview:
The advisory highlights two specific vulnerabilities affecting all versions of the Eaton UPS Companion software prior to version 3.0:
1. CVE-2025-59887: This high-severity vulnerability (CVSS score of 8.6) involves insecure library loading within the software installer. Attackers with access to the software package could exploit this flaw to execute arbitrary code. Such vulnerabilities often occur when applications load dynamic link libraries (DLLs) from insecure paths, allowing malicious files to be loaded instead of legitimate ones.
2. CVE-2025-59888: Rated with a CVSS score of 6.7, this medium-severity issue pertains to an unquoted search path in the software. An attacker with local file system access could place a malicious executable in a specific location that the software might unintentionally run. This flaw targets how the Windows operating system handles file paths containing spaces but lacking quotation marks.
Potential Impact:
Exploitation of these vulnerabilities could lead to:
– Arbitrary Code Execution: Attackers could run malicious code on the host system, potentially leading to data theft, system compromise, or further network infiltration.
– System Control: Gaining complete control over affected devices, attackers could manipulate system operations, disable critical functions, or deploy additional malware.
Mitigation Measures:
Eaton has released version 3.0 of the UPS Companion software to address these vulnerabilities. Users are strongly advised to update their software immediately to mitigate potential risks. The update is available through Eaton’s official software distribution channels.
For users unable to apply the patch immediately, Eaton recommends the following mitigation steps:
– Access Restriction: Limit local and remote access to the host system to authorized personnel only.
– Network Security: Ensure that all control system networks are placed behind securely configured firewalls.
– Software Integrity: Avoid downloading software from unofficial sources to prevent tampering.
Conclusion:
The discovery of these vulnerabilities underscores the importance of regular software updates and vigilant security practices. Organizations utilizing Eaton’s UPS Companion software should prioritize updating to version 3.0 and implement the recommended mitigation measures to safeguard their systems against potential exploitation.
