Voltronic Power ViewPower MonitorConsole Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MonitorConsole class. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22011.
The flaw results from exposing a dangerous method in the MonitorConsole class of the ViewPower application (CWE-749 — Exposed Dangerous Method or Function). An attacker can invoke this method remotely over the network without any authentication. Successful exploitation of the vulnerability allows code execution in the context of the currently logged-in user running the application. The vulnerability was identified by Zero Day Initiative as ZDI-CAN-22011.
An attacker can remotely execute arbitrary code (RCE) on the affected system, gaining full control over the environment in the context of the current user's privileges, which may lead to violations of system confidentiality, integrity, and availability.
Patches available from the manufacturer should be applied according to the references. Additionally, it is recommended to restrict network access to the MonitorConsole interface using a firewall and isolate UPS management systems from untrusted network segments.
Voltronic Power ViewPower — versions indicated in the manufacturer's references and in the Zero Day Initiative advisory (ZDI-23-1881)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVoltronicpower Viewpower
APPVoltronicpower1.04.21353
Related vulnerabilities
Voltronic Power ViewPower — RCE przez odsłoniętą niebezpieczną metodę klasy MacMonitorConsole
Voltronic Power ViewPower — RCE przez wystawioną niebezpieczną metodę LinuxMonitorConsole
RCE przez deserializację w Voltronic Power ViewPower (port TCP 51099)
Voltronic Power ViewPower — pominięcie uwierzytelnienia przez exposed dangerous method
RCE w Voltronic Power ViewPower — odsłonięta niebezpieczna metoda UpsScheduler