These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CyberPower PowerPanel Business versions 4.9.0 and earlier contain hard-coded authentication credentials in the application code. This vulnerability allows an unauthenticated attacker to bypass authentication and gain administrator privileges on affected systems. The issue was disclosed by CISA on May 2, 2024, with a CVSS 3.0 score of 9.8 (Critical). CyberPower has released version 4.10.1 to address this v [truncated]
CyberPower PowerPanel Business versions 4.9.0 and earlier contain a hard-coded JWT signing key in the application code. This cryptographic weakness allows an attacker with knowledge of the embedded secret to forge valid JSON Web Tokens, potentially enabling complete authentication bypass and unauthorized administrative access to the power management platform. The vulnerability carries a CVSS 3.0 score of [truncated]
A path traversal vulnerability in CyberPower PowerPanel Business allows remote code execution through malicious ZIP file imports. The vulnerability, published 2024-05-02, affects versions 4.9.0 and earlier. CISA issued advisory ICSA-24-123-01 with a CVSS 3.0 score of 8.8 (HIGH). The vendor has released version 4.10.1 to address this issue. No known exploitation in ransomware campaigns has been documented.
CyberPower PowerPanel Business versions 4.9.0 and earlier contain hard-coded credentials used by the platform to authenticate to the database, other services, and cloud infrastructure. This vulnerability, published by CISA on May 2, 2024, allows an attacker to gain access to services with the privileges of the PowerPanel Business application. The CVSS 3.0 score of 9.8 (Critical) reflects network attack ve [truncated]
CyberPower PowerPanel Business versions 4.9.0 and earlier contain hard-coded credentials for a test server embedded in production code. This vulnerability, published by CISA on May 2, 2024, carries a CVSS 3.0 score of 9.8 (Critical) due to network-accessible attack vectors requiring no authentication, with potential for complete confidentiality, integrity, and availability compromise. The hard-coded crede [truncated]
CyberPower PowerPanel Business versions 4.9.0 and earlier contain a cryptographic weakness where the encryption key used to protect database-stored passwords is embedded directly in the application code. This hardcoded key allows an attacker with high privileges to recover plaintext passwords, undermining the confidentiality of stored credentials. The vulnerability was disclosed by CISA on May 2, 2024, an [truncated]
CVE-2024-31856 is a high-severity vulnerability in CyberPower PowerPanel Business versions 4.9.0 and earlier. The flaw allows an attacker with certain MQTT permissions to craft malicious messages that can be broadcast to all Power Panel devices in an environment. Successful exploitation enables SQL injection, arbitrary file writes, and remote code execution. The vulnerability was published on May 2, 2024, [truncated]
CyberPower PowerPanel Business versions 4.9.0 and earlier contain a hard-coded cryptographic key vulnerability that results in identical certificates across managed devices. An attacker with network access and low privileges can impersonate any client in the system to send malicious data, achieving high integrity impact without confidentiality or availability effects. CISA published this advisory on May 2 [truncated]
CyberPower PowerPanel Business versions 4.9.0 and earlier contain an MQTT wildcard handling vulnerability that could allow an authenticated attacker to access data across the entire system. The issue stems from improper restriction of MQTT wildcard characters (such as '+' and '#'), which are not blocked on the system. Once an attacker gains access to any single device, they can leverage these wildcards to [truncated]
