Platform
other
Component
viewpower-pro
Fixed in
2.0.1
CVE-2023-51595 is a critical SQL Injection vulnerability affecting Voltronic Power ViewPower Pro versions 2.0-22165. This flaw allows unauthenticated remote attackers to execute arbitrary code, potentially leading to complete system compromise. The vulnerability stems from insufficient input validation within the selectDeviceListBy method, and a patch is currently available.
The impact of CVE-2023-51595 is severe due to its ease of exploitation and potential for complete system takeover. An attacker can directly inject malicious SQL code through the selectDeviceListBy endpoint, bypassing authentication. Successful exploitation allows the attacker to execute commands on the system with LOCAL SERVICE privileges. This could lead to data exfiltration, modification of system configurations, installation of malware, and ultimately, full control of the affected ViewPower Pro device. Given the lack of authentication required, the vulnerability presents a significant risk to any system running an affected version of ViewPower Pro.
CVE-2023-51595 was reported to ZDI (ZDI-CAN-22163) and subsequently disclosed publicly on 2024-05-03. The vulnerability's ease of exploitation, coupled with the lack of authentication, suggests a medium to high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. The CVSS score of 9.8 (CRITICAL) reflects the severity of the vulnerability and the potential for widespread exploitation.
Exploit Status
EPSS
36.39% (97% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2023-51595 is to upgrade ViewPower Pro to a patched version. Voltronic Power has released a fix; consult their advisory for details. As a temporary workaround, implement Web Application Firewall (WAF) rules to filter potentially malicious SQL injection attempts targeting the selectDeviceListBy endpoint. Input validation on the server-side, specifically sanitizing user-supplied data before constructing SQL queries, can also reduce the attack surface. Consider implementing strict access controls and network segmentation to limit the potential blast radius if the vulnerability is exploited. After upgrade, confirm by attempting to trigger the selectDeviceListBy endpoint with a known malicious SQL injection payload; it should now be properly sanitized and not execute arbitrary code.
Update Voltronic Power ViewPower Pro to a version later than 2.0-22165 to correct the SQL Injection vulnerability. Consult the vendor's website for the latest version and update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-51595 is a critical SQL Injection vulnerability in Voltronic Power ViewPower Pro versions 2.0-22165, allowing remote code execution without authentication.
If you are running ViewPower Pro version 2.0-22165, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
Upgrade to the latest patched version of ViewPower Pro. Consult the official Voltronic Power advisory for specific version details and upgrade instructions.
While confirmed exploitation is not yet widespread, the vulnerability's ease of exploitation and critical severity suggest a high probability of active exploitation.
Refer to the official Voltronic Power security advisory for details and updates regarding CVE-2023-51595.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.