ICS Advisory: CyberPower PowerPanel

Summary:

The View CSAF document reports a critical vulnerability in the CyberPower PowerPanel equipment, with a CVSS v3 score of 9.8. The vulnerabilities include:

1. Use of Hard-coded Password, Relative Path Traversal, Use of Hard-coded Credentials, Active Debug Code, Storing Passwords in a Recoverable Format, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), and Use of Hard-coded Cryptographic Key.
2. The affected versions of PowerPanel are 4.9.0 and prior.
3. Successful exploitation can result in an attacker bypassing authentication, forging JWT tokens, writing arbitrary files to the server, achieving code execution, and gaining access to services with the privileges of a PowerPanel application.
4. The recommended mitigation strategies include updating to PowerPanel Business v4.10.1 or later, minimizing network exposure, and using more secure remote access methods.
5. No known public exploitation has been reported to CISA at this time.

Risks:

Bypassing authentication and gaining administrator privileges
Forging JWT tokens to bypass authentication
Writing arbitrary files to the server and achieving code execution
Gaining access to services with the privileges of a PowerPanel application
Damaging the system or stealing sensitive information

Mitigation Strategies:

Upgrade to PowerPanel Business v4.10.1 or later
Minimize network exposure for all control system devices and/or systems
Use more secure remote access methods, such as Virtual Private Networks (VPNs)