Hard-coded credentials are used by the CyberPower PowerPanel platform to authenticate to the database, other services, and the cloud. This could result in an attacker gaining access to services with the privileges of a Powerpanel business application.
In CyberPower PowerPanel software, authentication credentials (username and password) are permanently embedded in the application code or configuration (CWE-798 — Use of Hard-coded Credentials). This means that each product installation has identical, unchangeable access credentials to the database, internal services, and cloud infrastructure. An attacker who obtains these credentials (e.g., through analysis of binary or configuration files) can use them to directly authenticate to any instance of the product, without needing their own privileges.
A remote attacker without authentication can gain full access (read, write, delete data) to the database, associated services, and cloud resources with PowerPanel Business application privileges, which may lead to breach of confidentiality, integrity, and system availability.
Apply patches available from the vendor according to references — update available on the CyberPower website for PowerPanel Business for Windows product. Details regarding the patched version are contained in CISA ICS Advisory ICSA-24-123-01.
CyberPower PowerPanel Business (versions indicated in vendor references and CISA ICS-CERT advisory ICSA-24-123-01)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCyberpower Powerpanel
APPCyberpower≤ 4.9.0
Related vulnerabilities
CyberPower PowerPanel: zakodowany klucz JWT umożliwia ominięcie uwierzytelnienia
CyberPower PowerPanel Business — zakodowane dane uwierzytelniające
CyberPower PowerPanel — zakodowane na stałe dane uwierzytelniające w kodzie produkcyjnym
Brak uwierzytelnienia w REST API CyberPower PowerPanel Enterprise
Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Window...