cbcvebase.
CVE-2023-51572
published 2024-04-01

CVE-2023-51572: Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
38.42%
98.4th percentile
Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getMacAddressByIP function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21163.

Affected

2 ranges
VendorProductVersion rangeFixed in
voltronic_powerviewpower_pro
voltronicpowerviewpower

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable function is getMacAddressByIP — monitor for unsanitized user-supplied strings passed to this function that reach a system call, indicating attempted OS command injection exploitation.
  • No authentication is required to reach the vulnerable endpoint; any unauthenticated network request targeting the getMacAddressByIP functionality on exposed ViewPower Pro instances should be treated as suspicious.
  • Successful exploitation results in code execution as SYSTEM; monitor for unexpected SYSTEM-level process spawning from the ViewPower Pro service process.
  • Affected version is ViewPower Pro 2.0-22165; fingerprint exposed instances on the network and flag this specific version for priority patching/isolation.
  • The vulnerability is remotely exploitable with low attack complexity and no privileges required (CVSS AV:N/AC:L/PR:N/UI:N); treat any internet-exposed ViewPower Pro instance as critically at risk.
  • ·No patch has been issued by the vendor; Voltronic Power did not respond to CISA coordination attempts, so no fixed version exists to upgrade to.
  • ·No known public exploitation has been reported at time of advisory publication, but the attack surface is unauthenticated and remotely reachable, warranting proactive network isolation.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.