CVE-2024-32739 – An unauthenticated SQL injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2024-32739?

CVE-2024-32739 has a CVSS score of 7.5 (HIGH). An unauthenticated SQL injection vulnerability in CyberPower PowerPanel Enterprise allows remote attackers to execute arbitrary SQL commands and leak sensitive information. This affects PowerPanel Enterprise versions prior to v2.8.3. Attackers can exploit this without authentication via the query_ptask_verbose function.

📋 TL;DR

An unauthenticated SQL injection vulnerability in CyberPower PowerPanel Enterprise allows remote attackers to execute arbitrary SQL commands and leak sensitive information. This affects PowerPanel Enterprise versions prior to v2.8.3. Attackers can exploit this without authentication via the query_ptask_verbose function.

💻 Affected Systems

Products:

CyberPower PowerPanel Enterprise

Versions: All versions prior to v2.8.3

Operating Systems: Windows, Linux (where PowerPanel Enterprise is installed)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects PowerPanel Enterprise management software for CyberPower UPS systems. The vulnerability is in the MCUDBHelper component.

📦 What is this software?

Powerpanel by Cyberpower

View all CVEs affecting Powerpanel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, configuration data exfiltration, and potential system takeover through subsequent attacks.

🟠

Likely Case

Sensitive information disclosure including user credentials, system configurations, and operational data from the database.

🟢

If Mitigated

Limited impact with proper network segmentation and database permissions, though SQL injection remains possible.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows attackers to target exposed instances directly.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - SQL injection via unauthenticated endpoint with documented vulnerable function.

Vulnerability is well-documented with specific function identified, making exploitation straightforward for attackers with SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.8.3

Vendor Advisory: https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote

Restart Required: Yes

Instructions:

1. Download PowerPanel Enterprise v2.8.3 from CyberPower website. 2. Backup current configuration. 3. Run installer to upgrade. 4. Restart PowerPanel services. 5. Verify version shows 2.8.3.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to PowerPanel Enterprise management interface to trusted IPs only.

Use firewall rules to allow only specific source IPs to PowerPanel port (default 3050)

Database Permission Reduction

all

Limit database user permissions to minimum required for PowerPanel operations.

ALTER USER powerpanel_user WITH NOSUPERUSER NOCREATEDB NOCREATEROLE;

🧯 If You Can't Patch

Implement strict network segmentation to isolate PowerPanel systems from untrusted networks.
Deploy web application firewall (WAF) with SQL injection protection rules in front of PowerPanel interface.

🔍 How to Verify

Check if Vulnerable:

Check PowerPanel Enterprise version in web interface or configuration files. Versions below 2.8.3 are vulnerable.

Check Version:

On Windows: Check PowerPanel installation directory for version.txt. On Linux: Check /opt/CyberPower/PowerPanel/version or similar.

Verify Fix Applied:

Verify version shows 2.8.3 in PowerPanel web interface or via version check command.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed authentication attempts followed by SQL-like requests
Requests to query_ptask_verbose endpoint with suspicious parameters

Network Indicators:

SQL injection patterns in HTTP requests to PowerPanel
Unusual database connections from PowerPanel host
Excessive data transfer from PowerPanel system

SIEM Query:

source="powerpanel.log" AND ("query_ptask_verbose" OR sql_injection_patterns)

📊 Metadata

CVE ID: CVE-2024-32739

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: May 14, 2024

Last Updated: October 23, 2025

🔗 References

https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote Release Notes
https://www.tenable.com/security/research/tra-2024-14 Third Party Advisory
https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote Release Notes
https://www.tenable.com/security/research/tra-2024-14 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32739, you might also want to check these: