CVE-2024-31410 - Vulnerability Details - OpenCVE

The devices which CyberPower PowerPanel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Cyberpower	Powerpanel Powerpanel Business

Configuration 1 [-]

cpe:2.3:a:cyberpower:powerpanel:*:*:*:*:business:windows:*:*

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01
https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads

History

Wed, 30 Jul 2025 00:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cyberpower powerpanel
CPEs		cpe:2.3:a:cyberpower:powerpanel:::::business:windows::
Vendors & Products		Cyberpower powerpanel

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-05-15T19:56:00.616Z

Updated: 2024-08-02T01:52:56.912Z

Reserved: 2024-04-29T16:47:22.319Z

Link: CVE-2024-31410

Vulnrichment

Updated: 2024-05-16T19:05:45.481Z

NVD

Status : Analyzed

Published: 2024-05-15T20:15:11.473

Modified: 2025-07-30T00:23:54.457

Link: CVE-2024-31410

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31410", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-04-29T16:47:22.319Z", "datePublished": "2024-05-15T19:56:00.616Z", "dateUpdated": "2024-08-02T01:52:56.912Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PowerPanel business", "vendor": "CyberPower", "versions": [{"lessThan": "4.9.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>\n\n\nThe devices which CyberPower PowerPanel manages use identical certificates based on a \nhard-coded cryptographic key. This can allow an attacker to impersonate \nany client in the system and send malicious data.\n\n<br></div>"}], "value": "The devices which CyberPower PowerPanel manages use identical certificates based on a \nhard-coded cryptographic key. This can allow an attacker to impersonate \nany client in the system and send malicious data."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-05-15T19:56:00.616Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"}, {"url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<p>CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\">https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads</a><br></p>\n\n<br>"}], "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "source": {"advisory": "ICSA-24-123-01", "discovery": "EXTERNAL"}, "title": "CyberPower PowerPanel business Use of Hard-coded Cryptographic Key", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-16T19:10:08.503295Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"], "vendor": "cyberpower", "product": "powerpanel_business", "versions": [{"status": "affected", "version": "0", "lessThan": "4.9.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:36:22.390Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:52:56.912Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01", "tags": ["x_transferred"]}, {"url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31410", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-04-29T16:47:22.319Z", "datePublished": "2024-05-15T19:56:00.616Z", "dateUpdated": "2024-06-04T17:36:22.390Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PowerPanel business", "vendor": "CyberPower", "versions": [{"lessThan": "4.9.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>\n\n\nThe devices which CyberPower PowerPanel manages use identical certificates based on a \nhard-coded cryptographic key. This can allow an attacker to impersonate \nany client in the system and send malicious data.\n\n<br></div>"}], "value": "The devices which CyberPower PowerPanel manages use identical certificates based on a \nhard-coded cryptographic key. This can allow an attacker to impersonate \nany client in the system and send malicious data."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-05-15T19:56:00.616Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"}, {"url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<p>CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\">https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads</a><br></p>\n\n<br>"}], "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "source": {"advisory": "ICSA-24-123-01", "discovery": "EXTERNAL"}, "title": "CyberPower PowerPanel business Use of Hard-coded Cryptographic Key", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-16T19:10:08.503295Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"], "vendor": "cyberpower", "product": "powerpanel_business", "versions": [{"status": "affected", "version": "0", "lessThan": "4.9.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-16T19:05:45.481Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cyberpower:powerpanel:*:*:*:*:business:windows:*:*", "matchCriteriaId": "63016483-EF5A-42FE-BBC2-D7E66C24B9B1", "versionEndIncluding": "4.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The devices which CyberPower PowerPanel manages use identical certificates based on a \nhard-coded cryptographic key. This can allow an attacker to impersonate \nany client in the system and send malicious data."}, {"lang": "es", "value": "Los dispositivos que gestiona CyberPower PowerPanel utilizan certificados id\u00e9nticos basados en una clave criptogr\u00e1fica codificada. Esto puede permitir que un atacante se haga pasar por cualquier cliente del sistema y env\u00ede datos maliciosos."}], "id": "CVE-2024-31410", "lastModified": "2025-07-30T00:23:54.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-15T20:15:11.473", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}