Powerpanel
CVE-2023-25133
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors.
AnalysisAI
Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors. Affected products include: Cyberpower Powerpanel.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.
More in Powerpanel
View allAn issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8
CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST req
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. Rated high severity (CVSS 7.5)
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. Rated high severity (CVSS 7.5)
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. Rated high severity (CVSS 7.5)
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. Rated high severity (CVSS 7.5)
CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. Rated critical
CyberPower PowerPanel business application code contains a hard-coded JWT signing key. Rated critical severity (CVSS 9.8
Hard-coded credentials are used by the CyberPower PowerPanel platform to authenticate to the database, other services, a
Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. Rated critical sev
Unrestricted upload of file with dangerous type vulnerability in default.cmd file in PowerPanel Business Local/Remote fo
Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Bus
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today