CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.
The manufacturer left a fixed, immutable set of authentication data in the application code (CWE-259 — use of hard-coded password). An attacker who discovers or guesses these credentials can log in to the application bypassing the normal authentication process. The vulnerability is remotely accessible, requires no prior authentication, and requires no user interaction, making it particularly dangerous.
An attacker can obtain full administrator privileges in the PowerPanel Business application, enabling takeover of managed UPS devices and potentially leading to compromise of confidentiality, integrity, and availability of infrastructure.
Apply patches available from the manufacturer according to the references. Updates are available on the CyberPower website at the address indicated in the references. Additionally, it is recommended to restrict network access to the PowerPanel Business application exclusively to trusted hosts and implement network segmentation for UPS management systems.
CyberPower PowerPanel Business for Windows system — versions indicated in the manufacturer references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCyberpower Powerpanel
APPCyberpower≤ 4.9.0
Related vulnerabilities
CyberPower PowerPanel — zakodowane na stałe dane uwierzytelniające (hard-coded credentials)
CyberPower PowerPanel: zakodowany klucz JWT umożliwia ominięcie uwierzytelnienia
CyberPower PowerPanel — zakodowane na stałe dane uwierzytelniające w kodzie produkcyjnym
Brak uwierzytelnienia w REST API CyberPower PowerPanel Enterprise
Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Window...