CRITICAL🇵🇱 Wersja polska

CVE-2024-34025

CVSS 9.8v3.1pub. 2024-05-15upd. 2025-08-04

CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.

🤖 AI Analysis
How it works

The manufacturer left a fixed, immutable set of authentication data in the application code (CWE-259 — use of hard-coded password). An attacker who discovers or guesses these credentials can log in to the application bypassing the normal authentication process. The vulnerability is remotely accessible, requires no prior authentication, and requires no user interaction, making it particularly dangerous.

Impact

An attacker can obtain full administrator privileges in the PowerPanel Business application, enabling takeover of managed UPS devices and potentially leading to compromise of confidentiality, integrity, and availability of infrastructure.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Updates are available on the CyberPower website at the address indicated in the references. Additionally, it is recommended to restrict network access to the PowerPanel Business application exclusively to trusted hosts and implement network segmentation for UPS management systems.

Who is affected

CyberPower PowerPanel Business for Windows system — versions indicated in the manufacturer references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Cyberpower Powerpanel

    APP
    Cyberpower
    ≤ 4.9.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-32053CRITICAL9.8PL ✓ten sam produkt

CyberPower PowerPanel — zakodowane na stałe dane uwierzytelniające (hard-coded credentials)

CVE-2024-33625CRITICAL9.8PL ✓ten sam produkt

CyberPower PowerPanel: zakodowany klucz JWT umożliwia ominięcie uwierzytelnienia

CVE-2024-32047CRITICAL9.8PL ✓ten sam produkt

CyberPower PowerPanel — zakodowane na stałe dane uwierzytelniające w kodzie produkcyjnym

CVE-2024-32735CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia w REST API CyberPower PowerPanel Enterprise

CVE-2023-25133CRITICAL9.1ten sam produkt

Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Window...