Critical Flaws in CyberPower Software Put Power Systems at Risk

Researchers have exposed a dangerous set of vulnerabilities within CyberPower’s PowerPanel Business Software, a critical management tool responsible for maintaining Uninterrupted Power Supply (UPS) stability across countless organizations. Threat actors could abuse these flaws, ranging from hard-coded passwords to SQL injection weaknesses, to take control of vital power systems. This could lead to severe disruptions, data theft, and provide a launching point for even more devastating network attacks.

The internet exposed PowerPanel Business applications

PowerPanel Business Software is a cornerstone for managing UPS systems, crucial for maintaining the reliability of power distribution in sensitive environments. The software provides comprehensive functionalities such as real-time monitoring, remote management, and automated maintenance scheduling, which are vital for minimizing downtime and optimizing energy usage.

Recent disclosures have revealed multiple security flaws within versions up to 4.9.0 of the PowerPanel software, with CyberPower having since released patches to address these issues. The vulnerabilities vary in severity and include:

• CVE-2024-34025: Use of Hard-Coded Password (Critical)
• CVE-2024-32053: Use of Hard-Coded Credentials (Critical)
• CVE-2024-32047: Active Debug Code (Critical)
• CVE-2024-33615: Relative Path Traversal (High)
• CVE-2024-31856: SQL Injection (High)
• CVE-2024-31410: Use of Hard-Coded Cryptographic Key (Medium)
• CVE-2024-31409: Improper Authorization (Medium)
• CVE-2024-32042: Storing Passwords in Recoverable Format (Low)

These vulnerabilities could allow attackers to bypass authentication protocols, manipulate system operations, access sensitive data, and potentially cause extensive damage including operational disruptions and financial losses.

The Cybersecurity and Infrastructure Security Agency (CISA) has emphasized the increasing interest of hacktivist groups in targeting internet-exposed Industrial Control Systems (ICS). Past incidents orchestrated by groups like GhostSec and TeamOneFist, particularly during geopolitical tensions, underscore the risks posed by such vulnerabilities. The discovery of over 600 internet-exposed instances of PowerPanel Business software further amplifies these concerns.

The good news is that CyberPower has already released patches to address the disclosed vulnerabilities. Organizations using PowerPanel Business Software versions 4.9.0 or earlier must update as a matter of absolute urgency. However, patching alone isn’t enough. To strengthen defenses further, organizations must consider:

• Multi-Factor Authentication: Passwords alone are insufficient. Enforcing MFA for all access points significantly reduces the risk of unauthorized access.
• Network Segmentation: Isolate critical infrastructure from less secure networks. This limits damage if attackers gain initial entry.
• Vigilant Monitoring: Actively track UPS management software activity for signs of suspicious behavior.
• Employee Training: Awareness of cyber threats helps staff identify phishing attempts and spot the early signs of a breach attempt.