PatchSiren cyber security CVE debrief
CVE-2026-22614 Eaton CVE debrief
CVE-2026-22614 is a medium-severity weakness in Eaton EasySoft’s project file encryption. According to the vendor advisory and NVD, the encryption used for the project file was insecure and susceptible to brute-force attacks. If an attacker has access to the project file and the local host machine, they could potentially recover sensitive information and tamper with the project file. Eaton states the issue has been fixed in the latest EasySoft release.
- Vendor
- Eaton
- Product
- EasySoft
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-05-21
Who should care
Organizations and engineers using Eaton EasySoft, especially anyone storing or transferring project files on local workstations or shared endpoints. Security teams should pay attention where EasySoft project files may contain sensitive configuration or operational data.
Technical summary
NVD lists the vulnerability as affecting EasySoft versions before 8.41. The published CVSS v3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, which aligns with a local-access issue requiring some existing privileges and access to the file and host. The vendor references CWE-257, and the core problem is weak encryption protecting the project file, allowing brute-force recovery of protected content and potential tampering.
Defensive priority
Medium. The issue requires local access and access to the project file, but it can expose high-value confidential data and enable integrity compromise of project files. Prioritize remediation on endpoints that store EasySoft projects or where those files may be copied, shared, or backed up.
Recommended defensive actions
- Upgrade Eaton EasySoft to the latest fixed version from the Eaton download centre.
- Review Eaton’s security advisory and mitigation guidance for CVE-2026-22614.
- Restrict access to EasySoft project files and the local systems that store them.
- Treat existing project files as potentially sensitive; review whether secrets or configuration data may have been exposed.
- If affected files were broadly shared, copied, or backed up, validate file integrity and replace any sensitive values that may have been stored inside them.
Evidence notes
All statements are based on the NVD record and the linked Eaton advisory. The NVD record shows the vulnerable EasySoft CPE range ends before 8.41 and provides CVSS v3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. The vendor advisory reference identifies CWE-257 and states the issue was fixed in the latest EasySoft version. CVE publishedAt: 2026-03-10T18:18:12.420Z; modifiedAt: 2026-05-21T13:07:15.060Z.
Official resources
-
CVE-2026-22614 CVE record
CVE.org
-
CVE-2026-22614 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory, Mitigation
Publicly disclosed on 2026-03-10 and updated by the official record on 2026-05-21.