Security Flaws in Eaton Products May Allow Code Execution

Eaton has released a security advisory after identifying multiple vulnerabilities in its UPS Companion (EUC) software. If exploited, these issues could allow attackers to run malicious code on the affected system and potentially gain full control.

The advisory, tracked as ETN-VA-2025-1026, affects all versions of Eaton UPS Companion before version 3.0. Eaton has rated the overall risk as High and recommends immediate action.

Affected Vulnerabilities-ETN-VA-2025-1026

Two security flaws were identified, both of which could be abused by attackers with local access:

CVE-2025-59887 (High – CVSS 8.6):
An insecure library loading issue in the installer. This flaw allows a malicious file to be loaded during installation, leading to arbitrary code execution.
CVE-2025-59888 (Medium – CVSS 6.7):
An unquoted search path vulnerability. If file paths are not handled correctly, an attacker could place a malicious executable that the software runs unintentionally.

Impact and Risk

The most serious issue involves how the installer loads required libraries. When files are loaded from unsafe locations, attackers can replace them with malicious versions.

The second flaw relates to how Windows handles file paths that contain spaces. Without proper quotation, the system may execute the wrong file, which attackers can exploit if they have access to the system.

Together, these vulnerabilities could allow attackers to execute code on the host machine, putting connected systems at risk.

Mitigation and Recommendations

Eaton has released UPS Companion version 3.0, which addresses both vulnerabilities. Users are strongly advised to upgrade as soon as possible using Eaton’s official download channels.

For environments where an immediate update is not possible, Eaton recommends: