CVE-2021-23276

Improper Neutralization of Special Elements used in an SQL Command

Description

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base.

Remediation

Solution:

upgrade the software to latest version 1.69

Workaround:

To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 & 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used

References

Link	Tags
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-23276?: CVE-2021-23276 has been scored as a high severity vulnerability.
How to fix CVE-2021-23276?: To fix CVE-2021-23276: upgrade the software to latest version 1.69
Is CVE-2021-23276 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-23276 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-23276?: CVE-2021-23276 affects Eaton Intelligent Power manager (IPM).

Description

Remediation

Category

CWE-89 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

References

Frequently Asked Questions