cbcvebase.
CVE-2024-32738
published 2024-05-14

CVE-2024-32738: A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.52%
90.3th percentile
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper.

Affected

2 ranges
VendorProductVersion rangeFixed in
cyberpowercyberpower_powerpanel_enterprise< 2.8.32.8.3
cyberpowerpowerpanel< 2.8.32.8.3

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/ndconfig?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--
port8085
commandcurl "<target>:8085/api/v1/ndconfig?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--"
path/api/v1/ndconfig
sigma
matchers: body contains ':"finished"' AND '"success":' AND 'modifiedtime":' with content-type application/json and HTTP 200
  • The SQLi payload is injected via the 'uid' query parameter on the /api/v1/ndconfig endpoint with mode=lean. A UNION-based injection using sqlite_version() is the PoC technique. Detect requests containing UNION select patterns targeting this endpoint.
  • The vulnerable function is query_ptask_lean in mcu.jar (com.cyberpower.mcu.core.persist.MCUDBHelper). It directly interpolates the contract_uuid parameter into a SQL query against the pcontractresult table without sanitization.
  • Successful exploitation returns a JSON response with status 'finished' and a 'modifiedtime' field containing the injected value (e.g., SQLite version string). Use the regex '"modifiedtime":"([0-9.]+)"' to confirm data exfiltration.
  • Shodan query 'html:"PDNU"' can be used to identify internet-exposed CyberPower PowerPanel Enterprise (PDNU) instances potentially vulnerable to this CVE.
  • The vulnerability is unauthenticated (PR:N, UI:N). No session or credentials are required to exploit the /api/v1/ndconfig endpoint on port 8085.
  • ·The vulnerability affects CyberPower PowerPanel Enterprise versions prior to v2.8.3 only. Version 2.8.3 and later are patched.
  • ·The backend database is SQLite (version 3.21.0 observed in PoC output), which limits certain SQLi techniques but allows UNION-based data extraction.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.