Voltronic Power ViewPower Pro

Act NowCVSS 9.8ICS-CERT ICSA-24-023-03Jan 23, 2024

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Voltronic Power ViewPower Pro versions 2.0-22165 and earlier contain three critical vulnerabilities: insecure deserialization (CWE-502) allowing arbitrary object instantiation, missing authentication on sensitive operations (CWE-306), and command injection (CWE-78) enabling code execution. These issues can be exploited remotely over the network without credentials to achieve denial of service, extract administrator credentials, or execute arbitrary commands on the management system. Voltronic Power has not responded to CISA coordination efforts and no patch has been released.

What this means

What could happen

An attacker could remotely take over the ViewPower Pro management system without authentication, leading to denial of service, credential theft, or arbitrary command execution that could disrupt power monitoring and control operations across connected equipment.

Who's at risk

Energy sector operators using ViewPower Pro for power system monitoring and management, including utilities managing UPS systems, power distribution, and backup generation control. Any facility dependent on ViewPower Pro for operational visibility into critical infrastructure is at risk.

How it could be exploited

An attacker on the network (or internet if the device is exposed) sends specially crafted requests to the ViewPower Pro web interface. The vulnerabilities stem from insecure deserialization (CWE-502), missing authentication checks (CWE-306), and command injection (CWE-78), allowing the attacker to bypass login, inject commands, or trigger denial of service without any user interaction.

Prerequisites

Network reachability to ViewPower Pro web interface (typically HTTP/HTTPS)
No authentication required for exploitation
Device running ViewPower Pro version 2.0-22165 or earlier

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (30.3%)No patch availableAffects critical infrastructure

Exploitability

Likely to be exploited — EPSS score 30.3%

Affected products (1)

ProductAffected VersionsFix Status

ViewPower Pro: 2.0-221652.0-22165No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

HARDENINGIsolate ViewPower Pro systems from the internet and business networks using firewalls and network segmentation

HARDENINGRestrict network access to ViewPower Pro to only authorized engineering workstations and control system networks

HARDENINGIf remote access is required, implement a VPN with current security patches and strong authentication

HOTFIXContact Voltronic Power directly to inquire about patch availability and timeline

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor for and apply any security updates from Voltronic Power when available

Mitigations - no patch available

0/1

ViewPower Pro: 2.0-22165 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPerform network segmentation to separate ViewPower Pro systems from business IT networks

CVEs (4)

CVE-2023-51570 CVE-2023-51571 CVE-2023-51572 CVE-2023-51573

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c9c55428-42d7-407b-8387-d3e33a7a1417

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.