Security Advisory
PowerMaster+ Hardcoded JWT Keys
A fixed JWT secret allows crafting access tokens, which can be used to gain remote code execution
CVE: none
CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Severity: critical
Affected versions: 1.2.2
Fixed versions: 1.2.3
Discovered by: Hans-Martin Münch
Product description
From the website:
PowerMaster Management Software is designed for server and business solutions. It is ideal for IT professionals to monitor and manage the power status. It provides elegant, unattended shutdown of network computers and virtual machines connected to a battery backup during a power event. Power alert notifications can be sent via email, text, or instant message. The software is also compatible with SNMP Cards.
This software allows users remote access (from any network PC with a web browser) to critical power information, including battery condition, load levels, and run-time information. It also includes OS shutdown, event logging, internal reports and analysis, remote management, and more.
Details
PowerMaster+ includes a Spring Boot application running on TCP port 3052 that uses JSON Web Tokens (JWTs) for authorization. The tokens are signed using hardcoded secrets defined by the developers. Different PowerMaster+ implementations rely on different static secrets:
Remote: power-@Jwt!&Secret^#remote
Local: power-@Jwt!&Secret^#local
Management: power-@Jwt!&Secret^#management
The PowerMaster admin interface includes an import/export feature that can be exploited to achieve remote code execution with root or SYSTEM privileges.
Workarounds
None
Coordinated Disclosure Timeline
- 05/05/2025 Identification of the vulnerability
- 20/08/2025 Noticed that the vulnerability has been fixed in the latest PowerMaster+ version (1.2.3) but no security advisory has been released
- 14/09/2025 Advisory release