Eaton UPS Software Vulnerabilities Allow Code Execution Risks
TL;DR
- This article covers critical vulnerabilities found in Eaton UPS Companion software, specifically CVE-2025-59887 (High) and CVE-2025-59888 (Medium). These flaws could allow attackers to execute arbitrary code on host systems. Eaton has released version 3.0 to patch these issues and urges users to update immediately to mitigate the high risk.
Eaton UPS Companion Software Vulnerabilities
Multiple vulnerabilities have been identified in Eaton UPS Companion (EUC) software, potentially allowing attackers to execute arbitrary code on the host system. The advisory is identified as ETN-VA-2025-1026. The company has classified the overall risk as High, urging users to update their software immediately. Eaton recommends immediate updates.
Vulnerability Summary
| CVE ID | Severity | Flaw Type | Issue Summary |
|---|---|---|---|
| CVE-2025-59887 | High (8.6) | Insecure Library Loading | A flaw in the installer allows attackers to run malicious code by exploiting insecure library loading. |
| CVE-2025-59888 | Medium (6.7) | Unquoted Search Path | An unquoted search path issue lets local attackers execute malicious files on the system. |
Technical Details of Vulnerabilities
CVE-2025-59887, with a CVSS score of 8.6 (High), involves insecure library loading within the software installer. An attacker with access to the software package could exploit this flaw to execute arbitrary code. This occurs when the application loads dynamic link libraries (DLLs) from an insecure path, potentially loading malicious files.
CVE-2025-59888 (CVSS 6.7) is related to an "improper quotation" issue in the software’s search paths. An attacker with access to the local file system could place a malicious executable in a location that the software unintentionally runs. This flaw targets how the Windows operating system handles file paths that contain spaces but lack quotation marks.
Remediation Steps
Eaton has released version 3.0 of the UPS Companion software to patch these flaws. Customers are advised to migrate to the secure version by updating their software to version 3.0.
For users unable to apply the patch immediately, Eaton recommends the following mitigation steps:
- Restrict local and remote access to the host system to authorized personnel only.
- Ensure that all control system networks are placed behind securely configured firewalls.
- Avoid downloading software from unofficial sources to prevent tampering.
Gopher Security's Zero-Trust Solution
These vulnerabilities highlight the importance of a robust cybersecurity architecture. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, providing a comprehensive solution that converges networking and security across various environments. Our platform utilizes peer-to-peer encrypted tunnels and quantum-resistant cryptography to secure devices, apps, and environments, from endpoints and private networks to cloud, remote access, and containers.
By implementing Gopher Security's Zero-Trust approach, organizations can significantly reduce the risk of exploitation by ensuring that every user, device, and application is authenticated and authorized before gaining access to critical resources. This proactive security posture minimizes the attack surface and contains potential breaches, mitigating the impact of vulnerabilities like those found in the Eaton UPS Companion software.
Explore Gopher Security's offerings and contact us to learn more about how our AI-powered, post-quantum Zero-Trust cybersecurity architecture can protect your organization from evolving threats.
