Voltronic Power ViewPower Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RMI interface, which listens on TCP port 51099 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22012.
The vulnerability affects the RMI (Remote Method Invocation) interface, which by default listens on TCP port 51099. The application does not perform adequate validation of user-supplied data, which allows for deserialization of untrusted data (CWE-502). An attacker can send a specially crafted payload to this interface without the need for prior authentication, resulting in code execution in the context of the SYSTEM account.
The attacker gains the ability to execute arbitrary code with SYSTEM privileges on the compromised machine, which means complete takeover of the operating system, including data access, ability to install malicious software, and lateral movement in the network.
Apply patches available from the manufacturer in accordance with the references. Additionally, as a remedial measure, it is recommended to restrict network access to TCP port 51099 exclusively to trusted hosts using a firewall or ACL rules, which will reduce the attack surface until the update is deployed.
Voltronic Power ViewPower — versions indicated in the manufacturer's references and in the Zero Day Initiative advisory (ZDI-23-1882)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVoltronicpower Viewpower
APPVoltronicpower1.04.21353
Related vulnerabilities
Voltronic Power ViewPower — RCE przez odsłoniętą niebezpieczną metodę klasy MacMonitorConsole
Voltronic Power ViewPower — RCE przez wystawioną niebezpieczną metodę LinuxMonitorConsole
Voltronic Power ViewPower — RCE przez niechronioną metodę w klasie MonitorConsole
Voltronic Power ViewPower — pominięcie uwierzytelnienia przez exposed dangerous method
RCE w Voltronic Power ViewPower — odsłonięta niebezpieczna metoda UpsScheduler