CVE-2024-31856 - Vulnerability Details - OpenCVE

An attacker with certain MQTT permissions can create malicious messages
to all CyberPower PowerPanel devices. This could result in an attacker injecting
SQL syntax, writing arbitrary files to the system, and executing remote
code.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00257.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Cyberpower	Powerpanel Powerpanel Business

Configuration 1 [-]

cpe:2.3:a:cyberpower:powerpanel:*:*:*:*:business:windows:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-34452	An attacker with certain MQTT permissions can create malicious messages to all CyberPower PowerPanel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.

Fixes

Solution

CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities. https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01
https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads

History

Wed, 30 Jul 2025 00:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cyberpower powerpanel
CPEs		cpe:2.3:a:cyberpower:powerpanel:::::business:windows::
Vendors & Products		Cyberpower powerpanel

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-05-15T19:52:37.407Z

Updated: 2024-08-02T01:59:49.843Z

Reserved: 2024-04-29T16:47:22.333Z

Link: CVE-2024-31856

Vulnrichment

Updated: 2024-05-16T18:09:22.415Z

NVD

Status : Analyzed

Published: 2024-05-15T20:15:11.710

Modified: 2025-07-30T00:20:33.280

Link: CVE-2024-31856

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31856", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-04-29T16:47:22.333Z", "datePublished": "2024-05-15T19:52:37.407Z", "dateUpdated": "2024-08-02T01:59:49.843Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PowerPanel business", "vendor": "CyberPower", "versions": [{"lessThan": "4.9.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>\n\nAn attacker with certain MQTT permissions can create malicious messages \nto all CyberPower PowerPanel devices. This could result in an attacker injecting \nSQL syntax, writing arbitrary files to the system, and executing remote \ncode.\n\n<br></div>"}], "value": "An attacker with certain MQTT permissions can create malicious messages \nto all CyberPower PowerPanel devices. This could result in an attacker injecting \nSQL syntax, writing arbitrary files to the system, and executing remote \ncode."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-05-15T19:52:37.407Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"}, {"url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<p>CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\">https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads</a><br></p>\n\n<br>"}], "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "source": {"advisory": "ICSA-24-123-01", "discovery": "EXTERNAL"}, "title": "CyberPower PowerPanel business SQL Injection", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31856", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-16T18:07:00.379722Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"], "vendor": "cyberpower", "product": "powerpanel_business", "versions": [{"status": "affected", "version": "0", "lessThan": "4.9.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:36:10.715Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:59:49.843Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01", "tags": ["x_transferred"]}, {"url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31856", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-04-29T16:47:22.333Z", "datePublished": "2024-05-15T19:52:37.407Z", "dateUpdated": "2024-06-04T17:36:10.715Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PowerPanel business", "vendor": "CyberPower", "versions": [{"lessThan": "4.9.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>\n\nAn attacker with certain MQTT permissions can create malicious messages \nto all CyberPower PowerPanel devices. This could result in an attacker injecting \nSQL syntax, writing arbitrary files to the system, and executing remote \ncode.\n\n<br></div>"}], "value": "An attacker with certain MQTT permissions can create malicious messages \nto all CyberPower PowerPanel devices. This could result in an attacker injecting \nSQL syntax, writing arbitrary files to the system, and executing remote \ncode."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-05-15T19:52:37.407Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"}, {"url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<p>CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\">https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads</a><br></p>\n\n<br>"}], "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "source": {"advisory": "ICSA-24-123-01", "discovery": "EXTERNAL"}, "title": "CyberPower PowerPanel business SQL Injection", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31856", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-16T18:07:00.379722Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"], "vendor": "cyberpower", "product": "powerpanel_business", "versions": [{"status": "affected", "version": "0", "lessThan": "4.9.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-16T18:09:22.415Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cyberpower:powerpanel:*:*:*:*:business:windows:*:*", "matchCriteriaId": "63016483-EF5A-42FE-BBC2-D7E66C24B9B1", "versionEndIncluding": "4.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker with certain MQTT permissions can create malicious messages \nto all CyberPower PowerPanel devices. This could result in an attacker injecting \nSQL syntax, writing arbitrary files to the system, and executing remote \ncode."}, {"lang": "es", "value": "Un atacante con ciertos permisos MQTT puede crear mensajes maliciosos para todos los dispositivos CyberPower PowerPanel. Esto podr\u00eda provocar que un atacante inyecte sintaxis SQL, escriba archivos arbitrarios en el sistema y ejecute c\u00f3digo remoto."}], "id": "CVE-2024-31856", "lastModified": "2025-07-30T00:20:33.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-15T20:15:11.710", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}