PowerMaster+ Hidden System Account

Product description

From the website:
PowerMaster Management Software is designed for server and business solutions. It is ideal for IT professionals to monitor and manage the power status. It provides elegant, unattended shutdown of network computers and virtual machines connected to a battery backup during a power event. Power alert notifications can be sent via email, text, or instant message. The software is also compatible with SNMP Cards.

This software allows users remote access (from any network PC with a web browser) to critical power information, including battery condition, load levels, and run-time information. It also includes OS shutdown, event logging, internal reports and analysis, remote management, and more.

Details

PowerMaster+ includes a Spring Boot application running on TCP port 3052. The application contains a hidden administrative user account.

Username: encryption_key (encrypted: 385761CE9156A93756FC85BC2AE0D6E8)
Password: powermaster.encryption.keyODM (encrypted: DF68DF70AD60172EC9A021DD841477FA152A6F2C3EF4432DC250ABB802C3070F)

The PowerMaster+ admin interface includes an import/export feature that can be exploited to achieve remote code execution with root or SYSTEM privileges.

The hidden system account also exists in the PowerMaster+ Management application. However, it has no assigned permissions. While authentication with these credentials issues a JWT token, the token cannot be used to access the REST API.

Workarounds

None

Coordinated Disclosure Timeline

• 05/05/2025 Identification of the vulnerability
• 20/08/2025 Noticed that the vulnerability has been fixed in the latest PowerMaster+ version (1.2.3) but no security advisory has been released
• 14/09/2025 Advisory release

Links and References

• PowerMaster Plus download page