CVE-2024-33625
published 2024-05-15CVE-2024-33625: CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.52%
40.4th percentile
CyberPower PowerPanel business
application code contains a hard-coded JWT signing key. This could
result in an attacker forging JWT tokens to bypass authentication.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyberpower | powerpanel | <= 4.9.0 | — |
| cyberpower | powerpanel_business | < 4.9.0 | 4.9.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xh9q-q8cm-cwp3: CyberPower PowerPanel business
application code contains a hard-coded JWT signing key
ghsa_unreviewed·2024-05-15
CVE-2024-33625 [CRITICAL] CWE-259 GHSA-xh9q-q8cm-cwp3: CyberPower PowerPanel business
application code contains a hard-coded JWT signing key
CyberPower PowerPanel business
application code contains a hard-coded JWT signing key. This could
result in an attacker forging JWT tokens to bypass authentication.
CISA ICS
CyberPower PowerPanel business
cisa_ics·2025-08-12·CVSS 9.8
[CRITICAL] CyberPower PowerPanel business
ICS Advisory
##
CyberPower PowerPanel business
Last RevisedAugust 12, 2025
Alert CodeICSA-24-123-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: CyberPower
- Equipment: PowerPanel Business
- Vulnerabilities: Use of Hard-coded Password, Relative Path Traversal, Use of Hard-coded Credentials, Active Debug Code, Storing Passwords in a Recoverable Format, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), Use of Hard-coded Cryptographic Key, Incorrect Authorization
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in an attacker bypassin
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloadshttps://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads
2024-05-15
Published