Security Advisory
PowerMaster+ Insecure Password Storage
User passwords are stored using 3DES encryption
CVE: none
CVSS: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Severity: medium
Affected versions: 1.2.2
Fixed versions: 1.2.3
Discovered by: Hans-Martin Münch
Product description
From the website:
PowerMaster Management Software is designed for server and business solutions. It is ideal for IT professionals to monitor and manage the power status. It provides elegant, unattended shutdown of network computers and virtual machines connected to a battery backup during a power event. Power alert notifications can be sent via email, text, or instant message. The software is also compatible with SNMP Cards.
This software allows users remote access (from any network PC with a web browser) to critical power information, including battery condition, load levels, and run-time information. It also includes OS shutdown, event logging, internal reports and analysis, remote management, and more.
Details
PowerMaster+ includes a Spring Boot application running on TCP port 3052, backed by an HSQLDB database. This database stores usernames and passwords, with credentials encrypted using reversible 3DES. While this is necessary for certain services (e.g., SMTP access), it is not required for user passwords.
An attacker with access to the database can decrypt these credentials, potentially using them in further attacks.
Workarounds
None
Coordinated Disclosure Timeline
- 05/05/2025 Identification of the vulnerability
- 20/08/2025 Noticed that the vulnerability has been fixed in the latest PowerMaster+ version (1.2.3) but no security advisory has been released
- 14/09/2025 Advisory release