CRITICAL🇵🇱 Wersja polska

CVE-2023-51576

CVSS 9.8v3.0pub. 2024-05-03upd. 2025-07-09

Voltronic Power ViewPower Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RMI interface, which listens on TCP port 51099 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22012.

🤖 AI Analysis
How it works

The vulnerability affects the RMI (Remote Method Invocation) interface, which by default listens on TCP port 51099. The application does not perform adequate validation of user-supplied data, which allows for deserialization of untrusted data (CWE-502). An attacker can send a specially crafted payload to this interface without the need for prior authentication, resulting in code execution in the context of the SYSTEM account.

Impact

The attacker gains the ability to execute arbitrary code with SYSTEM privileges on the compromised machine, which means complete takeover of the operating system, including data access, ability to install malicious software, and lateral movement in the network.

Mitigation & patch

Apply patches available from the manufacturer in accordance with the references. Additionally, as a remedial measure, it is recommended to restrict network access to TCP port 51099 exclusively to trusted hosts using a firewall or ACL rules, which will reduce the attack surface until the update is deployed.

Who is affected

Voltronic Power ViewPower — versions indicated in the manufacturer's references and in the Zero Day Initiative advisory (ZDI-23-1882)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Voltronicpower Viewpower

    APP
    Voltronicpower
    1.04.21353
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2023-51581CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — RCE przez odsłoniętą niebezpieczną metodę klasy MacMonitorConsole

CVE-2023-51582CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — RCE przez wystawioną niebezpieczną metodę LinuxMonitorConsole

CVE-2023-51575CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — RCE przez niechronioną metodę w klasie MonitorConsole

CVE-2023-51574CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — pominięcie uwierzytelnienia przez exposed dangerous method

CVE-2023-51583CRITICAL9.8PL ✓ten sam produkt

RCE w Voltronic Power ViewPower — odsłonięta niebezpieczna metoda UpsScheduler