CRITICAL🇵🇱 Wersja polska

CVE-2023-51583

CVSS 9.8v3.0pub. 2024-05-03upd. 2025-07-09

Voltronic Power ViewPower UpsScheduler Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UpsScheduler class. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22036.

🤖 AI Analysis
How it works

The vulnerability exists in the UpsScheduler class, where a dangerous method has been exposed remotely without proper security controls (CWE-749: Exposed Dangerous Method or Function). An attacker can invoke this method from outside the network without providing any authentication credentials. The result of invoking the method is code execution in the context of the SYSTEM account, which represents the highest privilege level in the Windows operating system.

Impact

An attacker can execute arbitrary code with SYSTEM privileges, gaining full control over the compromised host, including the ability to install malware, steal data, and perform lateral movement within the network.

Mitigation & patch

Apply patches available from the vendor according to the references provided. It is also recommended to restrict network access to the ViewPower service using a firewall to trusted hosts only and monitor network activity related to this service.

Who is affected

Voltronic Power ViewPower — versions indicated in the vendor's references (vulnerability confirmed in ZDI-CAN-22036 identifier)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Voltronicpower Viewpower

    APP
    Voltronicpower
    1.04.21353
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2023-51576CRITICAL9.8PL ✓ten sam produkt

RCE przez deserializację w Voltronic Power ViewPower (port TCP 51099)

CVE-2023-51581CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — RCE przez odsłoniętą niebezpieczną metodę klasy MacMonitorConsole

CVE-2023-51575CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — RCE przez niechronioną metodę w klasie MonitorConsole

CVE-2023-51574CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — pominięcie uwierzytelnienia przez exposed dangerous method

CVE-2023-51582CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — RCE przez wystawioną niebezpieczną metodę LinuxMonitorConsole