PatchSiren cyber security CVE debrief
CVE-2024-32042 CyberPower CVE debrief
CyberPower PowerPanel Business versions 4.9.0 and earlier contain a cryptographic weakness where the encryption key used to protect database-stored passwords is embedded directly in the application code. This hardcoded key allows an attacker with high privileges to recover plaintext passwords, undermining the confidentiality of stored credentials. The vulnerability was disclosed by CISA on May 2, 2024, and carries a CVSS 3.1 score of 4.9 (Medium severity). CyberPower has addressed this issue in version 4.10.1, which administrators should deploy promptly. Organizations should also audit for any exposed credentials that may have been compromised prior to patching and enforce network segmentation for PowerPanel Business installations to limit attack surface.
- Vendor
- CyberPower
- Product
- PowerPanel Business
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-02
- Original CVE updated
- 2025-08-07
- Advisory published
- 2024-05-02
- Advisory updated
- 2025-08-07
Who should care
Organizations using CyberPower PowerPanel Business for UPS management and power monitoring, particularly in industrial control system (ICS) environments. System administrators responsible for critical infrastructure power management, security teams overseeing OT/ICS asset protection, and compliance officers managing credential security standards should prioritize this patch. The hardcoded key exposure creates risk for credential compromise that could enable lateral movement or privilege escalation in environments where PowerPanel Business manages critical power infrastructure.
Technical summary
CVE-2024-32042 affects CyberPower PowerPanel Business versions 4.9.0 and earlier. The application uses a hardcoded encryption key to protect passwords stored in its database. Because this key is embedded in the application code rather than being uniquely generated or externally managed, an attacker with high-level privileges (PR:H) can extract the key and decrypt stored passwords. The vulnerability is network-accessible (AV:N) with low attack complexity (AC:L), resulting in a CVSS 3.1 score of 4.9 (Medium). The confidentiality impact is rated High (C:H) with no integrity or availability impact. CyberPower released version 4.10.1 to address this issue. The vulnerability was disclosed in CISA advisory ICSA-24-123-01 on May 2, 2024, with a revision on August 7, 2025 updating CWE classification.
Defensive priority
medium
Recommended defensive actions
- Upgrade CyberPower PowerPanel Business to version 4.10.1 or later to remediate the hardcoded encryption key vulnerability
- Review and rotate any credentials stored in PowerPanel Business databases that may have been exposed due to this cryptographic weakness
- Implement network segmentation to restrict access to PowerPanel Business management interfaces from untrusted networks
- Audit administrative accounts and access logs for signs of unauthorized credential access or privilege escalation
- Apply principle of least privilege to PowerPanel Business administrative accounts to reduce attack surface
- Monitor for anomalous authentication attempts or database access patterns that could indicate credential exploitation
Evidence notes
CISA ICS advisory ICSA-24-123-01 confirms the hardcoded encryption key vulnerability in PowerPanel Business ≤4.9.0. The advisory was initially published on 2024-05-02 and last modified on 2025-08-07 to update CWE classification. Vendor fix available in version 4.10.1.
Official resources
-
CVE-2024-32042 CVE record
CVE.org
-
CVE-2024-32042 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-02