cbcvebase.
CVE-2024-32735
published 2024-05-14

CVE-2024-32735: An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.77%
93.2th percentile
An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application.

Affected

2 ranges
VendorProductVersion rangeFixed in
cyberpowercyberpower_powerpanel_enterprise< 2.8.32.8.3
cyberpowerpowerpanel< 2.8.32.8.3

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/devices
port8085
url/api/v1/devices
url/api/v1/confup?mode=&uid=1'%20UNION%20select%201,2,3,4,sqlite_version();--
url/api/v1/confup?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--
url/api/v1/ndconfig?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--
url/api/v1/ndconfig?mode=&uid=1'%20UNION%20select%201,2,3,sqlite_version();--
sigma
matchers: words: ['"account":', '"passwd":', 'status":"success'] in HTTP response body with content-type application/json and status 200 on path /api/v1/devices
  • Unauthenticated GET requests to /api/v1/devices on port 8085 returning JSON with 'account' and 'passwd' fields indicate active exploitation of the missing authentication vulnerability.
  • Shodan query 'html:"PDNU"' can be used to identify internet-exposed CyberPower PowerPanel PDNU instances.
  • SQL injection attempts via the 'uid' parameter on /api/v1/confup and /api/v1/ndconfig endpoints (UNION-based, targeting SQLite) should be monitored for unauthenticated exploitation.
  • Encrypted device passwords returned by the API are AES-256-CBC encrypted with a hardcoded static key; presence of this key in memory or config indicates compromise.
  • ·The static AES-256-CBC decryption key is hardcoded in the application and applies to all PDNU versions prior to v2.8.3; all device credentials stored in the application are at risk.
  • ·The PDNU REST API on port 8085 requires no authentication prior to v2.8.3, exposing all API endpoints including device credential retrieval and configuration modification.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.