Voltronic Power ViewPower Pro updateManagerPassword Exposed Dangerous Function Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the updateManagerPassword function. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21203.
The vulnerability lies in the updateManagerPassword function, which is available without prior authentication and performs a dangerous administrative operation. The problem results from exposing this function externally without appropriate access control (CWE-749 — Exposed Dangerous Method or Function). An attacker can directly invoke this function over the network, bypassing any login mechanisms implemented in the application.
An attacker gains the ability to bypass authentication in the system, which may lead to takeover of the power management application, and consequently to unauthorized access, data modification, and system availability disruption.
Apply patches available from the manufacturer in accordance with the references. It is also recommended to restrict network access to the ViewPower Pro management interface exclusively to trusted hosts and internal networks (e.g., via firewall or VPN) until the fix is deployed.
Voltronic Power ViewPower Pro — versions indicated in the manufacturer's references (ZDI-23-1879 advisory)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVoltronicpower Viewpower
APPVoltronicpower2.0-22165
Related vulnerabilities
RCE przez deserializację w Voltronic Power ViewPower (port TCP 51099)
Voltronic Power ViewPower — RCE przez odsłoniętą niebezpieczną metodę klasy MacMonitorConsole
Voltronic Power ViewPower — pominięcie uwierzytelnienia przez exposed dangerous method
Voltronic Power ViewPower — RCE przez niechronioną metodę w klasie MonitorConsole
Voltronic Power ViewPower — RCE przez wystawioną niebezpieczną metodę LinuxMonitorConsole