CRITICAL🇵🇱 Wersja polska

CVE-2023-51593

CVSS 9.8v3.0pub. 2024-05-03upd. 2025-07-09

Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Struts2 dependency. The issue results from the use of a library that is vulnerable to expression language injection. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22095.

🤖 AI Analysis
How it works

The vulnerability exists in the Struts2 library used by the ViewPower Pro application, which is vulnerable to expression language injection (CWE-917). An attacker can send a specially crafted request to the application in which a malicious expression is processed and executed by the Struts2 library's expression engine. As a result, code is executed in the context of the LOCAL SERVICE process on the targeted system.

Impact

An attacker can remotely execute arbitrary code in the context of the LOCAL SERVICE account, which may lead to system takeover, violation of data confidentiality, integrity, and service availability.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with the references. It is also recommended to restrict network access to the ViewPower Pro application interface using a firewall to minimize exposure to unauthorized requests.

Who is affected

Voltronic Power ViewPower Pro — versions indicated in the manufacturer's references (vulnerability identified as ZDI-CAN-22095)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Voltronicpower Viewpower

    APP
    Voltronicpower
    2.0-22165
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2023-51576CRITICAL9.8PL ✓ten sam produkt

RCE przez deserializację w Voltronic Power ViewPower (port TCP 51099)

CVE-2023-51581CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — RCE przez odsłoniętą niebezpieczną metodę klasy MacMonitorConsole

CVE-2023-51575CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — RCE przez niechronioną metodę w klasie MonitorConsole

CVE-2023-51574CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — pominięcie uwierzytelnienia przez exposed dangerous method

CVE-2023-51582CRITICAL9.8PL ✓ten sam produkt

Voltronic Power ViewPower — RCE przez wystawioną niebezpieczną metodę LinuxMonitorConsole