A vital safety advisory addressing a number of vulnerabilities found within the Eaton UPS Companion (EUC) software program.
These safety flaws, if exploited, may permit attackers to execute arbitrary code on the host system, doubtlessly giving them full management over affected gadgets.
The advisory, recognized as ETN-VA-2025-1026, highlights two particular vulnerabilities affecting all variations of the Eaton UPS Companion software program earlier than model 3.0.
The corporate has categorized the general threat as Excessive, urging customers to replace their software program instantly.
CVE IDSeverityFlaw TypeIssue SummaryCVE-2025-59887High (8.6)Insecure Library LoadingA flaw within the installer permits attackers to run malicious code by exploiting insecure library loading.CVE-2025-59888Medium (6.7)Unquoted Search PathAn unquoted search path subject lets native attackers execute malicious information on the system.
Vulnerability Particulars
Probably the most extreme subject, tracked as CVE-2025-59887, carries a CVSS rating of 8.6 (Excessive). This vulnerability includes insecure library loading inside the software program installer.
Safety researchers discovered that an attacker with entry to the software program bundle may exploit this flaw to execute arbitrary code.
This sort of vulnerability usually happens when an utility masses dynamic hyperlink libraries (DLLs) from an insecure path, permitting malicious information to be loaded as a substitute of legit ones.
The second vulnerability, CVE-2025-59888 (CVSS 6.7), pertains to an “improper citation” subject within the software program’s search paths.
On this state of affairs, if an attacker has entry to the native file system, they might place a malicious executable in a particular location that the software program unintentionally runs.
This flaw particularly targets how the Home windows working system handles file paths that comprise areas however lack citation marks.
Eaton has launched model 3.0 of the UPS Companion software program to patch these flaws. The corporate strongly advises all clients emigrate to this safe model instantly.
The replace is out there for obtain via Eaton’s official software program distribution channels. For customers unable to use the patch instantly, Eaton recommends the next mitigation steps: Prohibit native and distant entry to the host system to approved personnel solely.
Be sure that all management system networks are positioned behind securely configured firewalls. Keep away from downloading software program from unofficial sources to forestall tampering.
By conserving techniques updated and proscribing entry, organizations can considerably cut back the chance of exploitation.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
