cbcvebase.
CVE-2022-43110
published 2025-08-22

CVE-2022-43110: Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.62%
45.0th percentile
Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down.

Detection & IOCsextracted from sources · hover to see the quote

  • Unauthenticated forced browsing against the Voltronic Power ViewPower / PowerShield NetGuard web interface allows an attacker to change the admin password, view/change system configuration, enumerate connected UPS devices, and shut down connected UPS devices — no credentials required.
  • The vulnerability class is CWE-425 (Direct Request / Forced Browsing) against the UPS management web interface; monitor for unauthenticated HTTP requests to administrative endpoints that would normally require authentication.
  • ·No public exploitation of CVE-2022-43110 has been reported to CISA at time of advisory publication; threat remains theoretical but critical (CVSS v3.1 9.8).
  • ·Voltronic Power has not engaged with CISA on mitigations; only PowerShield NetGuard 1.04-23292 and later has a vendor-confirmed fix. ViewPower and ViewPower Pro remain unpatched by the vendor.
  • ·The advisory also covers a related but distinct RCE vulnerability (CVE-2022-31491, CVSS 10.0) involving an unauthenticated exposed OS-command execution function; ensure detections cover both CVEs when monitoring this software.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.