#VU89129 Use of Hard-coded Cryptographic Key in PowerPanel - CVE-2024-31410


Vulnerability identifier: #VU89129

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-31410

CWE-ID: CWE-321

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PowerPanel
Client/Desktop applications / Software for system administration

Vendor: CyberPower

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of hard-coded cryptographic key. A remote user can impersonate any client in the system and send malicious data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PowerPanel: 4.9.0

External links
https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in CyberPower PowerPanel