Conventional power systems are developing into cyber-physical power systems (CPPS) with wide applications of communication, computer and control technologies. However, multiple practical cases show that the failure of cyber layers is a major factor leading to blackouts. Therefore, it is necessary to discuss the cascading failure process considering cyber layer failures and analyze the vulnerability of CPPS. In this paper, a CPPS model, which consists of cyber layer, physical layer and cyber-physical interface, is presented using complex network theory. Considering power flow properties, the impacts of cyber node failures on the cascading failure propagation process are studied. Moreover, two vulnerability indices are established from the perspective of both network structure and power flow properties. A vulnerability analysis method is proposed, and the CPPS performance before and after cascading failures is analyzed by the proposed method to calculate vulnerability indices. In the case study, three typical scenarios are analyzed to illustrate the method, and vulnerabilities under different interface strategies and attack strategies are compared. Two thresholds are proposed to value the CPPS vulnerability roughly. The results show that CPPS is more vulnerable under malicious attacks and cyber nodes with high indices are vulnerable points which should be reinforced.