Ddos 
Power management giant Eaton dropped a critical security advisory on Christmas Eve, warning users of its UPS Companion (EUC) software to update immediately. The alert details two significant vulnerabilities that could allow local attackers to hijack the software and execute arbitrary code on the host system, potentially compromising the very computers monitoring critical power supplies.
The advisory, released on December 24, 2025, flags the overall risk as “High” with a maximum CVSS score of 8.6.
The most severe of the two flaws lies in how the software is installed. Tracked as CVE-2025-59887, this vulnerability exploits “insecure library loading,” a common class of bug often referred to as “DLL hijacking.”
According to the advisory, “Insecure library loading in the Eaton IPP software installer could lead to arbitrary code execution by an attacker with access to the software package”.
This means that if an attacker can place a malicious file in the same directory as the installer, the software effectively tricks itself into loading the malware instead of a legitimate system library, granting the attacker the same privileges as the user running the installation.
The second vulnerability, CVE-2025-59888 (CVSS 6.7), is a classic Windows service error known as an “Unquoted Search Path” vulnerability. When a service path contains spaces (e.g., C:\Program Files\Eaton…) and is not enclosed in quotes, Windows might misinterpret the path, trying to run a program named C:\Program.exe instead of the intended executable.
Eaton warns that “due to improper quotation in search paths of EUC, an attacker with access to the file system could perform arbitrary code execution”.
The vulnerabilities affect all versions of Eaton UPS Companion software prior to version 3.0.
“Customers are advised to migrate to the secure version by updating their software to version 3.0,” the company stated. This patch resolves both the high-severity installer issue and the medium-severity path flaw.
Related Posts:
- Ex-Programmer Davis Lu Jailed for Triggering Malicious “Kill Switch” at Eaton
- Zoom Unveils Custom AI Companion: Agent-Like AI Boosts Productivity Across 16 Business Apps
- Microsoft Pushes New Companion Apps to Windows 11 Taskbar for 365 Subscribers
- Critical WordPress RCE Flaws Resurface: Over 8.7 Million Attacks Exploit GutenKit & Hunk Companion
Donate