Search
Find a vulnerability
Search criteria
6 vulnerabilities found for UPS Companion software by Eaton
CVE-2025-67450 (GCVE-0-2025-67450)
Vulnerability from nvd – Published: 2025-12-26 06:59 – Updated: 2025-12-26 14:55
VLAI
Summary
Due to insecure library loading in the Eaton UPS Companion software executable, an attacker with access to the software package
could perform arbitrary code execution . This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eaton | UPS Companion software |
Affected:
0 , < 3.0
(custom)
|
Date Public
2025-12-26 06:54
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:55:41.664201Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:55:51.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UPS Companion software",
"vendor": "Eaton",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-12-26T06:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to insecure library loading in the Eaton UPS Companion software executable,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ean attacker with access to the software package\u003c/span\u003e\n\n could perform arbitrary code execution .\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis security issue has been fixed in the latest version of EUC which is available on the Eaton download center.\u003c/span\u003e"
}
],
"value": "Due to insecure library loading in the Eaton UPS Companion software executable,\u00a0an attacker with access to the software package\n\n could perform arbitrary code execution .\u00a0This security issue has been fixed in the latest version of EUC which is available on the Eaton download center."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T06:59:41.375Z",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1027.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2025-67450",
"datePublished": "2025-12-26T06:59:41.375Z",
"dateReserved": "2025-12-08T12:25:10.744Z",
"dateUpdated": "2025-12-26T14:55:51.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59888 (GCVE-0-2025-59888)
Vulnerability from nvd – Published: 2025-12-26 06:53 – Updated: 2026-01-08 04:54
VLAI
Summary
Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the
file system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-428 - Unquoted Search Path or Element
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eaton | UPS Companion software |
Affected:
0 , < 3.0
(custom)
|
Date Public
2025-12-26 06:48
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T15:37:33.011545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T15:37:43.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UPS Companion software",
"vendor": "Eaton",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-12-26T06:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eImproper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the \n\nfile system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.\u0026nbsp;\u003c/span\u003e"
}
],
"value": "Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the \n\nfile system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428 Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T04:54:56.884Z",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1026.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2025-59888",
"datePublished": "2025-12-26T06:53:33.887Z",
"dateReserved": "2025-09-23T08:34:05.389Z",
"dateUpdated": "2026-01-08T04:54:56.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-6650 (GCVE-0-2020-6650)
Vulnerability from nvd – Published: 2020-03-23 13:25 – Updated: 2024-09-16 20:07
VLAI
Title
Arbitrary code execution through “Update Manager” Class
Summary
UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.
Severity
8.3 (High)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.eaton.com/content/dam/eaton/company/n… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eaton | UPS Companion Software |
Affected:
unspecified , ≤ 1.05
(custom)
|
Date Public
2020-03-20 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:11:04.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-UPS-companion-software.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "UPS Companion Software",
"vendor": "Eaton",
"versions": [
{
"lessThanOrEqual": "1.05",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ravjot Singh Samra"
}
],
"datePublic": "2020-03-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "UPS companion software v1.05 \u0026 Prior is affected by \u2018Eval Injection\u2019 vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.\u201deval\u201d in \u201cUpdate Manager\u201d class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-23T13:25:43.000Z",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-UPS-companion-software.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "Download and install the latest version from product website."
}
],
"source": {
"advisory": "ETN-VA-2020-1001",
"defect": [
"ETN-VA-2020-1001"
],
"discovery": "EXTERNAL"
},
"title": "Arbitrary code execution through \u201cUpdate Manager\u201d Class",
"workarounds": [
{
"lang": "en",
"value": "Connect the host machine behind firewall and do not expose directly to internet."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Eval Injection",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2020-03-20T07:35:00.000Z",
"ID": "CVE-2020-6650",
"STATE": "PUBLIC",
"TITLE": "Arbitrary code execution through \u201cUpdate Manager\u201d Class"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "UPS Companion Software",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.05"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ravjot Singh Samra"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "UPS companion software v1.05 \u0026 Prior is affected by \u2018Eval Injection\u2019 vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.\u201deval\u201d in \u201cUpdate Manager\u201d class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-UPS-companion-software.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-UPS-companion-software.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "Download and install the latest version from product website."
}
],
"source": {
"advisory": "ETN-VA-2020-1001",
"defect": [
"ETN-VA-2020-1001"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Connect the host machine behind firewall and do not expose directly to internet."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2020-6650",
"datePublished": "2020-03-23T13:25:43.903Z",
"dateReserved": "2020-01-09T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:07:28.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-67450 (GCVE-0-2025-67450)
Vulnerability from cvelistv5 – Published: 2025-12-26 06:59 – Updated: 2025-12-26 14:55
VLAI
Summary
Due to insecure library loading in the Eaton UPS Companion software executable, an attacker with access to the software package
could perform arbitrary code execution . This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eaton | UPS Companion software |
Affected:
0 , < 3.0
(custom)
|
Date Public
2025-12-26 06:54
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:55:41.664201Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:55:51.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UPS Companion software",
"vendor": "Eaton",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-12-26T06:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to insecure library loading in the Eaton UPS Companion software executable,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ean attacker with access to the software package\u003c/span\u003e\n\n could perform arbitrary code execution .\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis security issue has been fixed in the latest version of EUC which is available on the Eaton download center.\u003c/span\u003e"
}
],
"value": "Due to insecure library loading in the Eaton UPS Companion software executable,\u00a0an attacker with access to the software package\n\n could perform arbitrary code execution .\u00a0This security issue has been fixed in the latest version of EUC which is available on the Eaton download center."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T06:59:41.375Z",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1027.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2025-67450",
"datePublished": "2025-12-26T06:59:41.375Z",
"dateReserved": "2025-12-08T12:25:10.744Z",
"dateUpdated": "2025-12-26T14:55:51.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59888 (GCVE-0-2025-59888)
Vulnerability from cvelistv5 – Published: 2025-12-26 06:53 – Updated: 2026-01-08 04:54
VLAI
Summary
Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the
file system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-428 - Unquoted Search Path or Element
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eaton | UPS Companion software |
Affected:
0 , < 3.0
(custom)
|
Date Public
2025-12-26 06:48
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T15:37:33.011545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T15:37:43.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UPS Companion software",
"vendor": "Eaton",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-12-26T06:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eImproper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the \n\nfile system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.\u0026nbsp;\u003c/span\u003e"
}
],
"value": "Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the \n\nfile system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428 Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T04:54:56.884Z",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1026.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2025-59888",
"datePublished": "2025-12-26T06:53:33.887Z",
"dateReserved": "2025-09-23T08:34:05.389Z",
"dateUpdated": "2026-01-08T04:54:56.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-6650 (GCVE-0-2020-6650)
Vulnerability from cvelistv5 – Published: 2020-03-23 13:25 – Updated: 2024-09-16 20:07
VLAI
Title
Arbitrary code execution through “Update Manager” Class
Summary
UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.
Severity
8.3 (High)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.eaton.com/content/dam/eaton/company/n… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eaton | UPS Companion Software |
Affected:
unspecified , ≤ 1.05
(custom)
|
Date Public
2020-03-20 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:11:04.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-UPS-companion-software.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "UPS Companion Software",
"vendor": "Eaton",
"versions": [
{
"lessThanOrEqual": "1.05",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ravjot Singh Samra"
}
],
"datePublic": "2020-03-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "UPS companion software v1.05 \u0026 Prior is affected by \u2018Eval Injection\u2019 vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.\u201deval\u201d in \u201cUpdate Manager\u201d class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-23T13:25:43.000Z",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-UPS-companion-software.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "Download and install the latest version from product website."
}
],
"source": {
"advisory": "ETN-VA-2020-1001",
"defect": [
"ETN-VA-2020-1001"
],
"discovery": "EXTERNAL"
},
"title": "Arbitrary code execution through \u201cUpdate Manager\u201d Class",
"workarounds": [
{
"lang": "en",
"value": "Connect the host machine behind firewall and do not expose directly to internet."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Eval Injection",
"ASSIGNER": "CybersecurityCOE@eaton.com",
"DATE_PUBLIC": "2020-03-20T07:35:00.000Z",
"ID": "CVE-2020-6650",
"STATE": "PUBLIC",
"TITLE": "Arbitrary code execution through \u201cUpdate Manager\u201d Class"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "UPS Companion Software",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.05"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ravjot Singh Samra"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "UPS companion software v1.05 \u0026 Prior is affected by \u2018Eval Injection\u2019 vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.\u201deval\u201d in \u201cUpdate Manager\u201d class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-UPS-companion-software.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-UPS-companion-software.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "Download and install the latest version from product website."
}
],
"source": {
"advisory": "ETN-VA-2020-1001",
"defect": [
"ETN-VA-2020-1001"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Connect the host machine behind firewall and do not expose directly to internet."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2020-6650",
"datePublished": "2020-03-23T13:25:43.903Z",
"dateReserved": "2020-01-09T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:07:28.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}