PatchSiren cyber security CVE debrief
CVE-2024-33625 CyberPower CVE debrief
CyberPower PowerPanel Business versions 4.9.0 and earlier contain a hard-coded JWT signing key in the application code. This cryptographic weakness allows an attacker with knowledge of the embedded secret to forge valid JSON Web Tokens, potentially enabling complete authentication bypass and unauthorized administrative access to the power management platform. The vulnerability carries a CVSS 3.0 score of 9.8 (Critical) due to its network-exploitable nature, lack of required privileges, and high impact on confidentiality, integrity, and availability. CISA published this advisory on May 2, 2024, with a revision on August 7, 2025, updating the CWE classification. CyberPower has addressed the issue in version 4.10.1, which organizations should deploy immediately given the trivial exploitability and severe consequences of token forgery in infrastructure management systems.
- Vendor
- CyberPower
- Product
- PowerPanel Business
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-02
- Original CVE updated
- 2025-08-07
- Advisory published
- 2024-05-02
- Advisory updated
- 2025-08-07
Who should care
Organizations using CyberPower PowerPanel Business for UPS and power infrastructure management, particularly in data center, healthcare, and industrial environments where continuous power availability is critical. Security teams responsible for operational technology (OT) and industrial control systems (ICS) asset protection. Compliance officers managing infrastructure access controls under frameworks requiring strong authentication mechanisms.
Technical summary
The PowerPanel Business application embeds a static JWT signing key within its codebase rather than generating or configuring cryptographically random secrets during deployment. An attacker who extracts this key—through binary analysis, source code review, or leaked builds—can craft arbitrary JWT payloads with administrative claims. The application accepts these forged tokens as legitimate because it uses the identical hard-coded secret for signature verification. This bypasses all authentication controls, granting the attacker equivalent privileges to a valid administrator without possessing valid credentials.
Defensive priority
critical
Recommended defensive actions
- Upgrade PowerPanel Business to version 4.10.1 or later immediately
- Audit access logs for anomalous JWT token usage or unexpected administrative sessions
- Rotate all administrative credentials and session tokens following patch deployment
- Implement network segmentation to restrict PowerPanel Business management interfaces to authorized administrative hosts only
- Review and validate JWT token signatures in any custom integrations or monitoring systems
Evidence notes
Hard-coded JWT signing key confirmed in PowerPanel Business ≤4.9.0 per CISA ICS advisory ICSA-24-123-01. CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates network-based exploitation without authentication requirements. Vendor fix released in version 4.10.1.
Official resources
-
CVE-2024-33625 CVE record
CVE.org
-
CVE-2024-33625 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-02