CVE-2024-31409

Certain MQTT wildcards are not blocked on theCyberPower PowerPanel system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.

CVE-2024-31410

The devices which CyberPower PowerPanel manages use identical certificates based on ahard-coded cryptographic key. This can allow an attacker to impersonateany client in the system and send malicious data.

CVE-2024-32042

The key used to encrypt passwords stored in the database can be found intheCyberPower PowerPanel application code, allowing the passwords to be recovered.