PatchSiren cyber security CVE debrief
CVE-2024-32053 CyberPower CVE debrief
CyberPower PowerPanel Business versions 4.9.0 and earlier contain hard-coded credentials used by the platform to authenticate to the database, other services, and cloud infrastructure. This vulnerability, published by CISA on May 2, 2024, allows an attacker to gain access to services with the privileges of the PowerPanel Business application. The CVSS 3.0 score of 9.8 (Critical) reflects network attack vector, low attack complexity, no required privileges or user interaction, and high impacts to confidentiality, integrity, and availability. CyberPower has released version 4.10.1 to address this issue. Organizations should update immediately and audit for any unauthorized access that may have occurred prior to patching.
- Vendor
- CyberPower
- Product
- PowerPanel Business
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-02
- Original CVE updated
- 2025-08-07
- Advisory published
- 2024-05-02
- Advisory updated
- 2025-08-07
Who should care
Organizations running CyberPower PowerPanel Business for UPS management and power infrastructure monitoring, particularly in industrial control system (ICS) environments where power continuity is critical to operations.
Technical summary
The PowerPanel Business platform uses hard-coded credentials for authentication to its database, auxiliary services, and cloud components. An attacker who extracts these credentials can authenticate as the PowerPanel Business application, gaining privileged access to backend systems. The vulnerability affects all deployments of PowerPanel Business 4.9.0 and earlier. The fix in version 4.10.1 replaces hard-coded credentials with properly configurable authentication mechanisms.
Defensive priority
critical
Recommended defensive actions
- Update PowerPanel Business to version 4.10.1 or later immediately
- Audit database, service, and cloud access logs for unauthorized activity using the hard-coded credentials
- Review and rotate any credentials that may have been derived from or similar to the hard-coded values
- Implement network segmentation to limit PowerPanel Business system exposure
- Apply defense-in-depth controls per CISA ICS recommended practices
Evidence notes
Hard-coded credentials are used by the platform to authenticate to the database, other services, and the cloud. This could result in an attacker gaining access to services with the privileges of a Powerpanel Business application.
Official resources
-
CVE-2024-32053 CVE record
CVE.org
-
CVE-2024-32053 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-24-123-01 on May 2, 2024, with a revision on August 7, 2025 updating the CWE classification.