CVE-2024-34025 CyberPower CVE debrief

Who should care

Organizations using CyberPower PowerPanel Business for UPS management in data centers, industrial facilities, or critical infrastructure environments. Security teams responsible for industrial control systems and operational technology infrastructure. System administrators managing power infrastructure with remote management capabilities.

Technical summary

CVE-2024-34025 is a critical vulnerability in CyberPower PowerPanel Business ≤4.9.0 caused by hard-coded authentication credentials embedded in the application code. The vulnerability has a CVSS 3.0 score of 9.8 (Critical) with attack vector Network, attack complexity Low, and no privileges or user interaction required. Successful exploitation allows complete compromise of confidentiality, integrity, and availability of the affected system. The vulnerability was disclosed on May 2, 2024, and remediated by CyberPower in version 4.10.1 released thereafter.

Defensive priority

critical

Recommended defensive actions

• Upgrade CyberPower PowerPanel Business to version 4.10.1 or later immediately
• If immediate patching is not possible, restrict network access to PowerPanel Business management interfaces to trusted administrative hosts only
• Monitor for unauthorized administrative access attempts in PowerPanel Business audit logs
• Review and rotate any credentials that may have been compromised prior to patching
• Apply defense-in-depth controls per CISA ICS recommended practices for industrial control systems

Evidence notes

CISA ICS advisory ICSA-24-123-01 confirms hard-coded credentials in PowerPanel Business ≤4.9.0 enabling authentication bypass with administrator privilege escalation. CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Vendor fix released in v4.10.1.

Official resources