CRITICAL🇵🇱 Wersja polska

CVE-2024-32047

CVSS 9.8v3.1pub. 2024-05-15upd. 2025-07-30

Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.

🤖 AI Analysis
How it works

The vulnerability (CWE-489) consists of code intended exclusively for the test environment — containing statically embedded credentials — being included in the production version of the software. An attacker who discovers these credentials (e.g., through binary or source code analysis) can use them to authenticate to the server without knowing the proper passwords. Since these credentials are identical across all installations, the attack can be carried out by anyone with access to the application files.

Impact

An attacker can gain unauthorized access to a test or production server managing UPS power supply, potentially leading to compromise of confidentiality, integrity, and availability of the system.

Mitigation & patch

Apply patches available from the vendor according to the references. Detailed information about patched versions is available in the CISA ICS Advisory ICSA-24-123-01 and on the CyberPower PowerPanel Business for Windows download page.

Who is affected

CyberPower PowerPanel — versions indicated in the vendor references (ICS Advisory ICSA-24-123-01)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Cyberpower Powerpanel

    APP
    Cyberpower
    ≤ 4.9.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-33625CRITICAL9.8PL ✓ten sam produkt

CyberPower PowerPanel: zakodowany klucz JWT umożliwia ominięcie uwierzytelnienia

CVE-2024-34025CRITICAL9.8PL ✓ten sam produkt

CyberPower PowerPanel Business — zakodowane dane uwierzytelniające

CVE-2024-32053CRITICAL9.8PL ✓ten sam produkt

CyberPower PowerPanel — zakodowane na stałe dane uwierzytelniające (hard-coded credentials)

CVE-2024-32735CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia w REST API CyberPower PowerPanel Enterprise

CVE-2023-25133CRITICAL9.1ten sam produkt

Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Window...