CRITICAL🇵🇱 Wersja polska

CVE-2024-32053

CVSS 9.8v3.1pub. 2024-05-15upd. 2025-07-30

Hard-coded credentials are used by the  CyberPower PowerPanel platform to authenticate to the database, other services, and the cloud. This could result in an attacker gaining access to services with the privileges of a Powerpanel business application.

🤖 AI Analysis
How it works

In CyberPower PowerPanel software, authentication credentials (username and password) are permanently embedded in the application code or configuration (CWE-798 — Use of Hard-coded Credentials). This means that each product installation has identical, unchangeable access credentials to the database, internal services, and cloud infrastructure. An attacker who obtains these credentials (e.g., through analysis of binary or configuration files) can use them to directly authenticate to any instance of the product, without needing their own privileges.

Impact

A remote attacker without authentication can gain full access (read, write, delete data) to the database, associated services, and cloud resources with PowerPanel Business application privileges, which may lead to breach of confidentiality, integrity, and system availability.

Mitigation & patch

Apply patches available from the vendor according to references — update available on the CyberPower website for PowerPanel Business for Windows product. Details regarding the patched version are contained in CISA ICS Advisory ICSA-24-123-01.

Who is affected

CyberPower PowerPanel Business (versions indicated in vendor references and CISA ICS-CERT advisory ICSA-24-123-01)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Cyberpower Powerpanel

    APP
    Cyberpower
    ≤ 4.9.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-33625CRITICAL9.8PL ✓ten sam produkt

CyberPower PowerPanel: zakodowany klucz JWT umożliwia ominięcie uwierzytelnienia

CVE-2024-34025CRITICAL9.8PL ✓ten sam produkt

CyberPower PowerPanel Business — zakodowane dane uwierzytelniające

CVE-2024-32047CRITICAL9.8PL ✓ten sam produkt

CyberPower PowerPanel — zakodowane na stałe dane uwierzytelniające w kodzie produkcyjnym

CVE-2024-32735CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia w REST API CyberPower PowerPanel Enterprise

CVE-2023-25133CRITICAL9.1ten sam produkt

Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Window...