CVE-2024-32737 Scanner

CyberPower PowerPanel Enterprise is a widely used software application designed to manage, monitor, and control uninterruptible power supplies (UPS) and other connected equipment. It is typically utilized by businesses and IT departments to ensure power continuity and safeguard critical systems. The software provides comprehensive power management functionalities, enabling administrators to automate power-related tasks and manage energy usage efficiently. Its user-friendly interface and robust features make it a popular choice for managing multiple UPS units within network environments. CyberPower PowerPanel Enterprise is employed across various industries including IT services, manufacturing, and healthcare for maintaining operational continuity.

The SQL Injection vulnerability identified in CyberPower PowerPanel Enterprise allows an attacker to manipulate SQL queries executed by the application. This vulnerability arises when user inputs are improperly sanitized, allowing an attacker to inject arbitrary SQL code into the database query. Such vulnerabilities can lead to unauthorized access to sensitive data, bypassing of authentication mechanisms, or even complete takeover of the application. The specific endpoint affected by this vulnerability is within the "query_contract_result" function in MCUDBHelper. Exploiting this flaw, attackers can potentially leak database content and compromise the integrity of the stored data.

Technically, this vulnerability involves an unauthenticated attacker crafting malicious SQL payloads that target a specific API endpoint "/api/v1/confup" with improperly sanitized parameters. The process includes injecting SQL commands as part of the 'uid' parameter in the API request. Successfully exploiting the vulnerability requires no authentication, increasing the severity of its potential impact. The API endpoint responds with the database version when the injected SQL query gets executed. This is indicative of successful exploitation, potentially leading to broader data exposure and application integrity issues.

The exploitation of this SQL Injection vulnerability can result in significant security ramifications. Sensitive information within the database, such as user credentials and configuration data, could be exfiltrated, leading to a breach of user privacy and data loss. Additionally, attackers could perform unauthorized actions on the database, modify or delete critical data, and disrupt the application's normal operations. Such breaches can damage the organization's reputation, cause financial losses, and lead to regulatory compliance failures. Effective exploitation might also pave the way for further network intrusions and escalating attacks.

REFERENCES

• https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote
• https://www.tenable.com/security/research/tra-2024-14
• https://nvd.nist.gov/vuln/detail/CVE-2024-32737