cbcvebase.
CVE-2024-32736
published 2024-05-14

CVE-2024-32736: A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.41%
91.7th percentile
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_utask_verbose" function within MCUDBHelper.

Affected

2 ranges
VendorProductVersion rangeFixed in
cyberpowercyberpower_powerpanel_enterprise< 2.8.32.8.3
cyberpowerpowerpanel< 2.8.32.8.3

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/confup?mode=&uid=1'%20UNION%20select%201,2,3,4,sqlite_version();--
port8085
path/api/v1/confup
  • Detect SQLi exploitation of CVE-2024-32736 by monitoring GET requests to /api/v1/confup with a 'uid' parameter containing UNION SELECT payloads (e.g., UNION%20select or UNION select) targeting port 8085.
  • A successful SQLi response returns JSON with keys 'status':'finished' and 'results' containing fields ip, mac, action, ts, code — monitor for anomalous values in these fields (e.g., SQLite version string in 'code').
  • The vulnerable function is query_utask_verbose in mcu.jar (com.cyberpower.mcu.core.persist.MCUDBHelper); the user-supplied parameter contract_uuid (mapped to 'uid' in the REST API) is injected unsanitized into a raw SQL string — look for single-quote characters and SQL keywords in the uid query parameter.
  • The endpoint is unauthenticated — no session token or credentials are required to exploit the SQLi; alert on any unauthenticated access to /api/v1/confup from external/untrusted sources.
  • Nuclei template detection: match HTTP 200 response with Content-Type application/json, body containing '{"status":"finished' and '"results":', and regex match on '"code":"([0-9.]+)"' to confirm SQLite version exfiltration via UNION injection.
  • ·The vulnerability affects CyberPower PowerPanel Enterprise versions prior to v2.8.3 only; v2.8.3 and later are patched.
  • ·The PDNU REST API listens on port 8085; detections should be scoped to this non-standard port to reduce false positives.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.