Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.
The vulnerability (CWE-489) consists of code intended exclusively for the test environment — containing statically embedded credentials — being included in the production version of the software. An attacker who discovers these credentials (e.g., through binary or source code analysis) can use them to authenticate to the server without knowing the proper passwords. Since these credentials are identical across all installations, the attack can be carried out by anyone with access to the application files.
An attacker can gain unauthorized access to a test or production server managing UPS power supply, potentially leading to compromise of confidentiality, integrity, and availability of the system.
Apply patches available from the vendor according to the references. Detailed information about patched versions is available in the CISA ICS Advisory ICSA-24-123-01 and on the CyberPower PowerPanel Business for Windows download page.
CyberPower PowerPanel — versions indicated in the vendor references (ICS Advisory ICSA-24-123-01)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCyberpower Powerpanel
APPCyberpower≤ 4.9.0
Related vulnerabilities
CyberPower PowerPanel: zakodowany klucz JWT umożliwia ominięcie uwierzytelnienia
CyberPower PowerPanel Business — zakodowane dane uwierzytelniające
CyberPower PowerPanel — zakodowane na stałe dane uwierzytelniające (hard-coded credentials)
Brak uwierzytelnienia w REST API CyberPower PowerPanel Enterprise
Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Window...