CVE-2024-31409

Certain MQTT wildcards are not blocked on theCyberPower PowerPanel system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.

CVE-2024-32047

Hard-coded credentials for theCyberPower PowerPanel test server can be found in theproduction code. This might result in an attacker gaining access to thetesting or production server.

CVE-2024-31410

The devices which CyberPower PowerPanel manages use identical certificates based on ahard-coded cryptographic key. This can allow an attacker to impersonateany client in the system and send malicious data.

CVE-2024-31856

An attacker with certain MQTT permissions can create malicious messagesto all CyberPower PowerPanel devices. This could result in an attacker injectingSQL syntax, writing arbitrary files to the system, and executing remotecode.

CVE-2024-32053

Hard-coded credentials are used by the CyberPower PowerPanel platform to authenticate to thedatabase, other services, and the cloud. This could result in anattacker gaining access to services with the privileges of a Powerpanelbusiness application.

CVE-2024-32042

The key used to encrypt passwords stored in the database can be found intheCyberPower PowerPanel application code, allowing the passwords to be recovered.