CVE-2024-32047 CyberPower CVE debrief

Who should care

Organizations running CyberPower PowerPanel Business for UPS management, particularly in industrial control system (ICS) environments where availability is critical. Security teams responsible for OT/ICS asset management and vulnerability remediation should prioritize this patch due to the critical CVSS score and unauthenticated exploitation path.

Technical summary

CVE-2024-32047 affects CyberPower PowerPanel Business ≤4.9.0, where hard-coded credentials for a test server were discovered in production code. The vulnerability enables unauthenticated network attackers to potentially access testing or production servers. CISA assigned CVSS 3.0 9.8 (Critical) based on network attack vector, low complexity, no privileges required, and high impact across confidentiality, integrity, and availability. CyberPower remediated this in version 4.10.1. The issue represents a common secure development lifecycle failure where test artifacts are not removed before production release.

Defensive priority

critical

Recommended defensive actions

• Update CyberPower PowerPanel Business to version 4.10.1 or later immediately
• Audit access logs for unauthorized connections to PowerPanel Business servers using test server credentials
• Review network segmentation to ensure PowerPanel Business systems are not exposed to untrusted networks
• Implement credential rotation procedures for any accounts that may have used default or hard-coded credentials
• Conduct vulnerability scans to identify remaining instances of PowerPanel Business ≤4.9.0 in the environment

Evidence notes

CISA ICS advisory ICSA-24-123-01 confirms hard-coded credentials in PowerPanel Business ≤4.9.0. CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H supports network-exploitable, unauthenticated attack scenario. Vendor fix confirmed with specific patch version 4.10.1.

Official resources