CVE-2022-33859
CVE-2022-33859 is a high-severity vulnerability in Eaton Foreseer Electrical Power Monitoring System with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-434.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- EPSS exploit prediction: 0% (27th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-434
- Affected product: Eaton Foreseer Electrical Power Monitoring System
- Published:
- Last modified:
Description
A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation’s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may upload arbitrary files using the file upload feature. This vulnerability is present in versions 4.x, 5.x, 6.x & 7.0 to 7.5. A new version (v7.6) containing the remediation has been made available by Eaton and a mitigation has been provided for the affected versions that are currently supported. Customers are advised to update the software to the latest version (v7.6). Foreseer EPMS versions 4.x, 5.x, 6.x are no longer supported by Eaton. Please refer to the End-of-Support notification https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html .
Frequently asked questions
- What is CVE-2022-33859?
- A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation’s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may upload arbitrary files using the file upload feature. This vulnerability is present in versions 4.x, 5.x, 6.x & 7.0 to 7.5. A new version (v7.6) containing the remediation has been made available by Eaton and a mitigation has been provided for the affected versions that are currently supported. Customers are advised to update the software to the latest version (v7.6). Foreseer EPMS versions 4.x, 5.x, 6.x are no longer supported by Eaton. Please refer to the End-of-Support notification https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html .
- How severe is CVE-2022-33859?
- CVE-2022-33859 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity high, and availability high.
- Is CVE-2022-33859 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (27th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-33859?
- CVE-2022-33859 affects Eaton Foreseer Electrical Power Monitoring System. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-33859?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-33859 published?
- CVE-2022-33859 was published on 2022-10-28 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:eaton:foreseer_electrical_power_monitoring_system:*:*:*:*:*:*:*:*
More vulnerabilities in Eaton Foreseer Electrical Power Monitoring System
- CVE-2024-31414 — Medium (CVSS 6.7): The Eaton Foreseer software provides users the capability to customize the dashboard in WebView pages. However, the…
- CVE-2024-31415 — Medium (CVSS 6.3): The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes…
- CVE-2024-31416 — Medium (CVSS 5.6): The Eaton Foreseer software provides multiple customizable input fields for the users to configure parameters in the…
All CVEs affecting Eaton Foreseer Electrical Power Monitoring System →
Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-57700 — Critical (CVSS 10.0): Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This…
- CVE-2025-69129 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7…
- CVE-2026-40772 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
- CVE-2026-40412 — Critical (CVSS 10.0): Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code…
Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →