CyberPower PowerPanel Business

Act Now9.8ICS-CERT ICSA-24-123-01May 2, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CyberPower PowerPanel Business versions 4.9.0 and earlier contain multiple critical vulnerabilities that allow attackers to bypass authentication, forge JWT tokens, write arbitrary files to the server, execute remote code, inject SQL commands, and access sensitive data. The vulnerabilities span CWEs related to hardcoded credentials (CWE-798, CWE-259), path traversal (CWE-23), missing authentication (CWE-257), SQL injection (CWE-89), and cryptographic key exposure (CWE-321). Successful exploitation could grant administrator privileges and allow full system compromise.

What this means

What could happen

An attacker could bypass authentication to gain administrator access to PowerPanel Business, allowing them to execute arbitrary commands on backup and power management systems, potentially disrupting power supply monitoring and failover operations for critical infrastructure.

Who's at risk

Energy utilities, water authorities, manufacturing facilities, and data centers that use CyberPower PowerPanel Business for uninterruptible power supply (UPS) and backup power management should prioritize this update. Any organization relying on PowerPanel Business to manage backup power systems for critical operations is at risk of service disruption if an attacker gains control.

How it could be exploited

An attacker on the network can send specially crafted requests to PowerPanel Business to exploit authentication bypass vulnerabilities or hardcoded credential flaws. Once authenticated or privileged, the attacker can upload malicious files or inject SQL commands to achieve remote code execution with application privileges, gaining control over power management and backup device configuration.

Prerequisites

Network access to PowerPanel Business web interface (typically port 443)
No valid user credentials required—vulnerabilities allow authentication bypass
Exposed to internal network or internet if not protected by firewall

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)allows remote code executionaffects critical infrastructure backup systemsdefault or hardcoded credentials in use

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (1)

ProductAffected VersionsFix Status

PowerPanel Business: <=4.9.0≤ 4.9.04.10.1

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXUpdate PowerPanel Business to version 4.10.1 or later

WORKAROUNDRestrict network access to PowerPanel Business console—use firewall rules to allow only authorized management IPs or VPN access

HARDENINGDisable internet-facing access to PowerPanel Business; ensure the service is only accessible from protected management networks

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate backup power management systems from production networks

CVEs (9)

CVE-2024-34025 CVE-2024-33625 CVE-2024-33615 CVE-2024-32053 CVE-2024-32047 CVE-2024-32042 CVE-2024-31856 CVE-2024-31410 CVE-2024-31409

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5f9051dd-c3f1-4991-b9cf-81f4c177d4dc