CVE-2024-32738
Published: 14 May 2024
Summary
CVE-2024-32738 is a high-severity SQL Injection (CWE-89) vulnerability in Cyberpower Powerpanel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A SQL injection vulnerability exists in CyberPower PowerPanel Enterprise versions prior to 2.8.3. The flaw resides in the query_ptask_lean function within the MCUDBHelper component and is tracked as CWE-89. It carries a CVSS 3.1 score of 7.5, reflecting network-accessible attack vectors that require no authentication or user interaction and result in high confidentiality impact.
An unauthenticated remote attacker can supply crafted input to the affected function and extract sensitive information from the underlying database. Because the vulnerability is reachable without credentials, exploitation can originate from any network position that can reach the PowerPanel Enterprise instance.
Vendor release notes and Tenable research indicate that the issue is resolved in version 2.8.3; administrators should apply the update referenced in CyberPower advisory SU-18070002-07. The EPSS score reached a peak of 0.5600 and currently stands at 0.4963.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-30525
Vulnerability details
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a public-facing network utility enables exploitation of public-facing applications (T1190) and unauthorized access to leak sensitive information from the database (T1213.006).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.