CVE-2024-32042 (GCVE-0-2024-32042)

Vulnerability from cvelistv5 – Published: 2024-05-15 19:39 – Updated: 2024-08-02 02:06
VLAI
Title
CyberPower PowerPanel business Storing Passwords in a Recoverable Format
Summary
The key used to encrypt passwords stored in the database can be found in the CyberPower PowerPanel application code, allowing the passwords to be recovered.
Severity
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
Create a notification for this product.
cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
    cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
 Create a notification for this product.
Credits
Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "powerpanel_business",
            "vendor": "cyberpower",
            "versions": [
              {
                "lessThan": "4.9.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32042",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-24T18:50:17.986724Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:51:52.502Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:06:43.266Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PowerPanel business",
          "vendor": "CyberPower",
          "versions": [
            {
              "lessThan": "4.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\nThe key used to encrypt passwords stored in the database can be found in\n the \nCyberPower PowerPanel\n\napplication code, allowing the passwords to be recovered.\n\n\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "The key used to encrypt passwords stored in the database can be found in\n the \nCyberPower PowerPanel\n\napplication code, allowing the passwords to be recovered."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-257",
              "description": "CWE-257",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-15T19:39:08.086Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
        },
        {
          "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
        }
      ],
      "source": {
        "advisory": "ICSA-24-123-01",
        "discovery": "EXTERNAL"
      },
      "title": "CyberPower PowerPanel business Storing Passwords in a Recoverable Format",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2024-32042",
    "datePublished": "2024-05-15T19:39:08.086Z",
    "dateReserved": "2024-04-29T16:47:22.354Z",
    "dateUpdated": "2024-08-02T02:06:43.266Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-32042",
      "date": "2026-06-02",
      "epss": "0.00176",
      "percentile": "0.38782"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The key used to encrypt passwords stored in the database can be found in\\n the \\nCyberPower PowerPanel\\n\\napplication code, allowing the passwords to be recovered.\"}, {\"lang\": \"es\", \"value\": \"La clave utilizada para cifrar las contrase\\u00f1as almacenadas en la base de datos se puede encontrar en el c\\u00f3digo de la aplicaci\\u00f3n CyberPower PowerPanel, lo que permite recuperar las contrase\\u00f1as.\"}]",
      "id": "CVE-2024-32042",
      "lastModified": "2024-11-21T09:14:22.697",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 4.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 3.6}]}",
      "published": "2024-05-15T20:15:11.950",
      "references": "[{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01\", \"source\": \"ics-cert@hq.dhs.gov\"}, {\"url\": \"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\", \"source\": \"ics-cert@hq.dhs.gov\"}, {\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-257\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-32042\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2024-05-15T20:15:11.950\",\"lastModified\":\"2025-07-30T00:19:33.853\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The key used to encrypt passwords stored in the database can be found in\\n the \\nCyberPower PowerPanel\\n\\napplication code, allowing the passwords to be recovered.\"},{\"lang\":\"es\",\"value\":\"La clave utilizada para cifrar las contrase\u00f1as almacenadas en la base de datos se puede encontrar en el c\u00f3digo de la aplicaci\u00f3n CyberPower PowerPanel, lo que permite recuperar las contrase\u00f1as.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-257\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cyberpower:powerpanel:*:*:*:*:business:windows:*:*\",\"versionEndIncluding\":\"4.9.0\",\"matchCriteriaId\":\"63016483-EF5A-42FE-BBC2-D7E66C24B9B1\"}]}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Product\"]},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:06:43.266Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-32042\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-24T18:50:17.986724Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*\"], \"vendor\": \"cyberpower\", \"product\": \"powerpanel_business\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.9.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-24T18:50:47.977Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"CyberPower PowerPanel business Storing Passwords in a Recoverable Format\", \"source\": {\"advisory\": \"ICSA-24-123-01\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"CyberPower\", \"product\": \"PowerPanel business\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.9.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\\n\\n\\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\\n\u003cp\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\\\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01\"}, {\"url\": \"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The key used to encrypt passwords stored in the database can be found in\\n the \\nCyberPower PowerPanel\\n\\napplication code, allowing the passwords to be recovered.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\\nThe key used to encrypt passwords stored in the database can be found in\\n the \\nCyberPower PowerPanel\\n\\napplication code, allowing the passwords to be recovered.\\n\\n\u003cbr\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-257\", \"description\": \"CWE-257\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2024-05-15T19:39:08.086Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-32042\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:06:43.266Z\", \"dateReserved\": \"2024-04-29T16:47:22.354Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2024-05-15T19:39:08.086Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.