cbcvebase.
CVE-2024-32737
published 2024-05-14

CVE-2024-32737: A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.41%
91.7th percentile
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper.

Affected

2 ranges
VendorProductVersion rangeFixed in
cyberpowercyberpower_powerpanel_enterprise< 2.8.32.8.3
cyberpowerpowerpanel< 2.8.32.8.3

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/confup?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--
port8085
path/api/v1/confup
yara
id: CVE-2024-32737
http:
- method: GET
  path:
  - "{{BaseURL}}/api/v1/confup?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--"
  matchers-condition: and
  matchers:
  - type: word
    part: body
    words:
    - ':"finished"'
    - '"success":'
    condition: and
  - type: word
    part: content_type
    words:
    - 'application/json'
  - type: status
    status:
    - 200
  • The SQLi payload targets the 'uid' parameter on the /api/v1/confup endpoint with mode=lean. A UNION-based injection using sqlite_version() confirms exploitation; look for JSON responses containing '"status":"finished"' and a numeric value in '"modifiedtime"' field (SQLite version string).
  • The vulnerable function is query_contract_result in mcu.jar (com.cyberpower.mcu.core.persist.MCUDBHelper). The unsanitized user-supplied parameter 'contract_uuid' (mapped to 'uid' in the HTTP request) is interpolated directly into a SQL query string via String.format().
  • Shodan query 'html:"PDNU"' can be used to identify internet-exposed CyberPower PowerPanel Enterprise (PDNU) instances potentially vulnerable to this CVE.
  • The exploit requires no authentication (PR:N, UI:N). Any unauthenticated HTTP GET request to /api/v1/confup?mode=lean with a SQLi payload in the 'uid' parameter on port 8085 should be treated as an active exploitation attempt.
  • ·Vulnerability affects CyberPower PowerPanel Enterprise versions prior to v2.8.3 only. Systems running v2.8.3 or later are not affected.
  • ·The backend database is SQLite (version 3.21.0 confirmed in PoC output). Detection rules and exploitation payloads are SQLite-specific (e.g., sqlite_version()), not generic SQL.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.