CVE-2024-31856

HIGH

CyberPower PowerPanel < 4.9.0 - SQL Injection and Arbitrary File Write via MQTT Messages

Title source: llm
STIX 2.1

Description

An attacker with certain MQTT permissions can create malicious messages to all CyberPower PowerPanel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.

Scores

CVSS v3 8.8
EPSS 0.0053
EPSS Percentile 41.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
cyberpower/powerpanel < 4.9.0
Published May 15, 2024
Tracked Since Feb 18, 2026