PatchSiren cyber security CVE debrief
CVE-2024-31409 CyberPower CVE debrief
CyberPower PowerPanel Business versions 4.9.0 and earlier contain an MQTT wildcard handling vulnerability that could allow an authenticated attacker to access data across the entire system. The issue stems from improper restriction of MQTT wildcard characters (such as '+' and '#'), which are not blocked on the system. Once an attacker gains access to any single device, they can leverage these wildcards to subscribe to topics across the entire MQTT broker namespace, potentially obtaining sensitive data from throughout the system. This represents an information disclosure risk in industrial control environments where PowerPanel Business is deployed for power management and monitoring. The vulnerability was disclosed by CISA on May 2, 2024, with an updated revision published on August 7, 2025, that included an updated CWE classification. CyberPower has released version 4.10.1 to address this vulnerability. Organizations should prioritize updating affected installations, particularly those in critical infrastructure environments where unauthorized data access could support further attack chain activities.
- Vendor
- CyberPower
- Product
- PowerPanel Business
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-02
- Original CVE updated
- 2025-08-07
- Advisory published
- 2024-05-02
- Advisory updated
- 2025-08-07
Who should care
Organizations using CyberPower PowerPanel Business for UPS and power infrastructure management, particularly in industrial, healthcare, data center, and critical infrastructure environments. Security teams responsible for OT/ICS network segmentation and MQTT-based IoT device management should prioritize this update.
Technical summary
The vulnerability exists in the MQTT message broker implementation within PowerPanel Business. MQTT wildcards ('+' for single-level, '#' for multi-level) allow clients to subscribe to multiple topics using pattern matching. When these wildcards are not properly restricted, an authenticated client can subscribe to broad topic patterns (e.g., '#') and receive messages intended for all devices in the system. This enables unauthorized information disclosure across the entire MQTT namespace. The attack requires network access and valid credentials to any device (PR:L), but once authenticated, the attacker can harvest data system-wide without additional privilege escalation. The confidentiality impact is rated High (C:H) with no integrity or availability impact.
Defensive priority
medium
Recommended defensive actions
- Update CyberPower PowerPanel Business to version 4.10.1 or later to remediate the MQTT wildcard handling vulnerability
- Review MQTT broker configurations to implement additional topic-level access controls and restrict wildcard subscriptions where possible
- Segment PowerPanel Business systems from untrusted networks and apply defense-in-depth controls per CISA ICS recommended practices
- Monitor MQTT broker logs for anomalous subscription patterns involving wildcard characters
- Verify that only authorized devices and users have credentials to access the PowerPanel Business MQTT interface
Evidence notes
CISA ICS advisory ICSA-24-123-01 documents this vulnerability in CyberPower PowerPanel Business. The advisory confirms affected versions are 4.9.0 and earlier, with a vendor fix available in version 4.10.1. CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N indicates network-accessible, low-complexity attack requiring low privileges but yielding high confidentiality impact. The August 7, 2025 revision updated the CWE classification. No known exploitation in ransomware campaigns has been reported (KEV status: false).
Official resources
-
CVE-2024-31409 CVE record
CVE.org
-
CVE-2024-31409 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-02