CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication.
A hardcoded secret used to sign JWT (JSON Web Token) tokens is embedded in the PowerPanel Business application code. Because this key is identical across all software installations, an attacker who discovers it can independently generate and sign arbitrary JWT tokens. Such a prepared token will be accepted by the application as valid, allowing access to protected resources without possessing an account.
An attacker can gain unauthorized, full access to the PowerPanel Business application, potentially taking control of managed UPS power systems and sensitive configuration data.
Apply patches available from the manufacturer according to the references. Updates can be downloaded from the CyberPower website: https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads. It is also recommended to restrict network access to the application interface exclusively to trusted hosts.
CyberPower PowerPanel Business (versions specified in manufacturer references and CISA ICS-CERT advisory ICSA-24-123-01)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCyberpower Powerpanel
APPCyberpower≤ 4.9.0
Related vulnerabilities
CyberPower PowerPanel — zakodowane na stałe dane uwierzytelniające (hard-coded credentials)
CyberPower PowerPanel Business — zakodowane dane uwierzytelniające
CyberPower PowerPanel — zakodowane na stałe dane uwierzytelniające w kodzie produkcyjnym
Brak uwierzytelnienia w REST API CyberPower PowerPanel Enterprise
Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Window...