平台
other
组件
viewpower-pro
修复版本
2.0.1
CVE-2023-51595 is a critical SQL Injection vulnerability affecting Voltronic Power ViewPower Pro versions 2.0-22165. This flaw allows unauthenticated remote attackers to execute arbitrary code, potentially leading to complete system compromise. The vulnerability stems from insufficient input validation within the selectDeviceListBy method, and a patch is currently available.
The impact of CVE-2023-51595 is severe due to its ease of exploitation and potential for complete system takeover. An attacker can directly inject malicious SQL code through the selectDeviceListBy endpoint, bypassing authentication. Successful exploitation allows the attacker to execute commands on the system with LOCAL SERVICE privileges. This could lead to data exfiltration, modification of system configurations, installation of malware, and ultimately, full control of the affected ViewPower Pro device. Given the lack of authentication required, the vulnerability presents a significant risk to any system running an affected version of ViewPower Pro.
CVE-2023-51595 was reported to ZDI (ZDI-CAN-22163) and subsequently disclosed publicly on 2024-05-03. The vulnerability's ease of exploitation, coupled with the lack of authentication, suggests a medium to high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. The CVSS score of 9.8 (CRITICAL) reflects the severity of the vulnerability and the potential for widespread exploitation.
Organizations utilizing Voltronic Power ViewPower Pro for industrial control or monitoring systems are at significant risk. Specifically, deployments with direct internet exposure or lacking robust network segmentation are particularly vulnerable. Shared hosting environments where multiple users share the same ViewPower Pro instance also increase the potential attack surface.
• linux / server: Monitor access logs for unusual SQL queries targeting the selectDeviceListBy endpoint. Use journalctl to filter for errors related to SQL execution.
journalctl -u viewpower_pro -f | grep "SQL injection"• generic web: Use curl to test the selectDeviceListBy endpoint with a simple SQL injection payload (e.g., ' OR '1'='1). Check the response for unexpected behavior or error messages.
curl 'http://<viewpower_pro_ip>/selectDeviceListBy?param='; OR '1'='1'disclosure
漏洞利用状态
EPSS
36.39% (97% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2023-51595 is to upgrade ViewPower Pro to a patched version. Voltronic Power has released a fix; consult their advisory for details. As a temporary workaround, implement Web Application Firewall (WAF) rules to filter potentially malicious SQL injection attempts targeting the selectDeviceListBy endpoint. Input validation on the server-side, specifically sanitizing user-supplied data before constructing SQL queries, can also reduce the attack surface. Consider implementing strict access controls and network segmentation to limit the potential blast radius if the vulnerability is exploited. After upgrade, confirm by attempting to trigger the selectDeviceListBy endpoint with a known malicious SQL injection payload; it should now be properly sanitized and not execute arbitrary code.
Actualizar Voltronic Power ViewPower Pro a una versión posterior a 2.0-22165 para corregir la vulnerabilidad de inyección SQL. Consultar el sitio web del proveedor para obtener la última versión y las instrucciones de actualización.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2023-51595 is a critical SQL Injection vulnerability in Voltronic Power ViewPower Pro versions 2.0-22165, allowing remote code execution without authentication.
If you are running ViewPower Pro version 2.0-22165, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
Upgrade to the latest patched version of ViewPower Pro. Consult the official Voltronic Power advisory for specific version details and upgrade instructions.
While confirmed exploitation is not yet widespread, the vulnerability's ease of exploitation and critical severity suggest a high probability of active exploitation.
Refer to the official Voltronic Power security advisory for details and updates regarding CVE-2023-51595.