// For flags

CVE-2024-31856

CyberPower PowerPanel business SQL Injection

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

An attacker with certain MQTT permissions can create malicious messages
to all CyberPower PowerPanel devices. This could result in an attacker injecting
SQL syntax, writing arbitrary files to the system, and executing remote
code.

Un atacante con ciertos permisos MQTT puede crear mensajes maliciosos para todos los dispositivos CyberPower PowerPanel. Esto podría provocar que un atacante inyecte sintaxis SQL, escriba archivos arbitrarios en el sistema y ejecute código remoto.

*Credits: Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-04-29 CVE Reserved
  • 2024-05-15 CVE Published
  • 2024-05-16 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
CyberPower
Search vendor "CyberPower"
 PowerPanel Business
Search vendor "CyberPower" for product "PowerPanel Business"
 < 4.9.0
Search vendor "CyberPower" for product "PowerPanel Business" and version " < 4.9.0"
en
Affected