CVE-2024-33625: 
Homebrew vulnerability analysis and mitigation

CyberPower PowerPanel business application code contains a hard-coded JWT signing key, identified as CVE-2024-33625. This vulnerability was discovered and disclosed on May 15, 2024, affecting PowerPanel business versions 4.9.0 and prior. The vulnerability has been assigned a critical CVSS v3.1 base score of 9.8 (ICS-CERT).

The vulnerability is classified as a Use of Hard-coded Password (CWE-259) issue. The application contains a hard-coded JWT signing key in its code, which creates a significant security weakness. The CVSS v3.1 vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (ICS-CERT).

A successful exploitation of this vulnerability could result in an attacker forging JWT tokens to bypass authentication mechanisms. This could potentially give unauthorized access to the system with elevated privileges (ICS-CERT).

CyberPower has released version 4.10.1 of PowerPanel business that fixes this vulnerability. Users are strongly advised to update to this version or later. Additionally, CISA recommends minimizing network exposure for control system devices, ensuring they are not accessible from the internet, and using secure methods such as VPNs when remote access is required (ICS-CERT).