Login Sign Up

CVE-2024-32737

7.5 HIGH
SQL Injection

📋 TL;DR

An unauthenticated SQL injection vulnerability in CyberPower PowerPanel Enterprise allows remote attackers to execute arbitrary SQL commands via the 'query_contract_result' function. This can lead to sensitive information disclosure from the database. All systems running PowerPanel Enterprise versions prior to 2.8.3 are affected.

💻 Affected Systems

Products:
  • CyberPower PowerPanel Enterprise
Versions: All versions prior to 2.8.3
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the MCUDBHelper component and affects all default installations.

📦 What is this software?

Powerpanel by Cyberpower

View all CVEs affecting Powerpanel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of credentials, configuration data, and sensitive operational information, potentially leading to full system takeover.

🟠

Likely Case

Unauthorized access to sensitive information stored in the database, including user credentials, device configurations, and operational data.

🟢

If Mitigated

Limited impact with proper network segmentation and database access controls, though SQL injection would still be possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly exploited and this one requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.3

Vendor Advisory: https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote

Restart Required: Yes

Instructions:

1. Download PowerPanel Enterprise v2.8.3 from CyberPower website. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the PowerPanel service.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to PowerPanel Enterprise to only trusted internal networks.

Web Application Firewall

all

Deploy a WAF with SQL injection protection rules in front of PowerPanel Enterprise.

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure to trusted IP addresses only.
  • Deploy a web application firewall with SQL injection detection and prevention capabilities.

🔍 How to Verify

Check if Vulnerable:

Check PowerPanel Enterprise version in the web interface or configuration files. If version is below 2.8.3, the system is vulnerable.

Check Version:

Check web interface or refer to installation documentation for version verification.

Verify Fix Applied:

Confirm version is 2.8.3 or higher in the web interface or configuration files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL query patterns in database logs
  • Multiple failed authentication attempts followed by SQL-like payloads in web logs

Network Indicators:

  • HTTP requests containing SQL keywords (SELECT, UNION, etc.) to PowerPanel endpoints
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (url="*query_contract_result*" AND (payload="*SELECT*" OR payload="*UNION*" OR payload="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2024-32737
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-89
Published: May 14, 2024
Last Updated: October 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32737, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)