CVE-2023-51572
published 2024-04-01CVE-2023-51572: Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
38.42%
98.4th percentile
Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the getMacAddressByIP function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21163.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| voltronic_power | viewpower_pro | — | — |
| voltronicpower | viewpower | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable function is getMacAddressByIP — monitor for unsanitized user-supplied strings passed to this function that reach a system call, indicating attempted OS command injection exploitation. ↗
- →No authentication is required to reach the vulnerable endpoint; any unauthenticated network request targeting the getMacAddressByIP functionality on exposed ViewPower Pro instances should be treated as suspicious. ↗
- →Successful exploitation results in code execution as SYSTEM; monitor for unexpected SYSTEM-level process spawning from the ViewPower Pro service process. ↗
- →Affected version is ViewPower Pro 2.0-22165; fingerprint exposed instances on the network and flag this specific version for priority patching/isolation. ↗
- →The vulnerability is remotely exploitable with low attack complexity and no privileges required (CVSS AV:N/AC:L/PR:N/UI:N); treat any internet-exposed ViewPower Pro instance as critically at risk. ↗
- ·No patch has been issued by the vendor; Voltronic Power did not respond to CISA coordination attempts, so no fixed version exists to upgrade to. ↗
- ·No known public exploitation has been reported at time of advisory publication, but the attack surface is unauthenticated and remotely reachable, warranting proactive network isolation. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-67f8-2vh7-p8ch: Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability
ghsa_unreviewed·2024-04-02
CVE-2023-51572 [CRITICAL] CWE-78 GHSA-67f8-2vh7-p8ch: Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability
Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the getMacAddressByIP function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21163.
CISA ICS
Voltronic Power ViewPower Pro
cisa_ics·2024-01-23·CVSS 9.8
[CRITICAL] Voltronic Power ViewPower Pro
ICS Advisory
##
Voltronic Power ViewPower Pro
Release DateJanuary 23, 2024
Alert CodeICSA-24-023-03
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: Voltronic Power
- Equipment: ViewPower Pro
- Vulnerabilities: Deserialization of Untrusted Data, Missing Authentication for Critical Function, Exposed Dangerous Method or Function, OS Command Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to create a denial-of-service condition, obtain administrator credentials, or achieve remote code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of ViewPower Pro, an Uninterruptable Power Supply (UPS) management soft
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-01
Published