Cyberpower: >> Powerpanel >> 4.8.6 Security Vulnerabilities
Hard-coded credentials for the
CyberPower PowerPanel test server can be found in the
production code. This might result in an attacker gaining access to the
testing or production server.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-05-15
Hard-coded credentials are used by theĀ
CyberPower PowerPanel
platform to authenticate to the
database, other services, and the cloud. This could result in an
attacker gaining access to services with the privileges of a Powerpanel
business application.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-05-15
Certain MQTT wildcards are not blocked on the
CyberPower PowerPanel
system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-05-15
The devices which CyberPower PowerPanel manages use identical certificates based on a
hard-coded cryptographic key. This can allow an attacker to impersonate
any client in the system and send malicious data.
CVSS Score
7.7
EPSS Score
0.001
Published
2024-05-15
An attacker with certain MQTT permissions can create malicious messages
to all CyberPower PowerPanel devices. This could result in an attacker injecting
SQL syntax, writing arbitrary files to the system, and executing remote
code.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-05-15
The key used to encrypt passwords stored in the database can be found in
the
CyberPower PowerPanel
application code, allowing the passwords to be recovered.
CVSS Score
4.9
EPSS Score
0.001
Published
2024-05-15
Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors.
CVSS Score
9.1
EPSS Score
0.002
Published
2023-04-24
Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the 'admin' password.
CVSS Score
9.4
EPSS Score
0.003
Published
2023-04-24
Unrestricted upload of file with dangerous type vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors.
CVSS Score
9.1
EPSS Score
0.002
Published
2023-04-24