Voltronic Power ViewPower MacMonitorConsole Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MacMonitorConsole class. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22034.
The MacMonitorConsole class in the ViewPower application exposes a method that should not be accessible remotely (CWE-749: Exposed Dangerous Method or Function). An attacker can invoke this method over the network without providing any authentication credentials. This results in arbitrary code execution in the context of the user running the process.
An attacker can remotely execute arbitrary code on the vulnerable system without authentication, which may lead to complete system compromise, data confidentiality breach, and service availability disruption.
Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict network access to the ViewPower interface using firewall or network segmentation so that the application is not accessible from untrusted networks.
Voltronic Power ViewPower — versions indicated in vendor references (details in advisory ZDI-23-1886)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVoltronicpower Viewpower
APPVoltronicpower1.04.21353
Related vulnerabilities
RCE przez deserializację w Voltronic Power ViewPower (port TCP 51099)
Voltronic Power ViewPower — RCE przez wystawioną niebezpieczną metodę LinuxMonitorConsole
Voltronic Power ViewPower — RCE przez niechronioną metodę w klasie MonitorConsole
Voltronic Power ViewPower — pominięcie uwierzytelnienia przez exposed dangerous method
RCE w Voltronic Power ViewPower — odsłonięta niebezpieczna metoda UpsScheduler