Voltronic Power and PowerShield UPS monitoring software

Act Now10ICS-CERT ICSA-25-182-05Jul 1, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Voltronic Power Viewpower, ViewPower Pro, and Powershield NetGuard UPS monitoring software contain vulnerabilities (CWE-749 improper restriction of rendered UI layers and CWE-425 direct request to handler) that allow unauthenticated remote attackers to modify configuration or execute arbitrary code. Successful exploitation could shut down UPS-protected devices or compromise system integrity. Voltronic Power has not engaged with CISA on remediation. Powershield has released a patch for NetGuard.

What this means

What could happen

An unauthenticated attacker could remotely modify UPS configuration settings or execute arbitrary code, potentially shutting down critical power backup systems and connected equipment at energy facilities.

Who's at risk

Energy utilities and data centers using Voltronic Power Viewpower, Viewpower Pro, or Powershield NetGuard for UPS monitoring and management. Any facility relying on uninterruptible power supplies for critical infrastructure (generation facilities, water treatment, substations, data centers) is affected if these products are deployed.

How it could be exploited

An attacker on the network (or internet, if the monitoring software is internet-exposed) sends crafted requests to the UPS monitoring software without needing credentials. The software processes these requests and allows configuration changes or code execution, which could alter UPS behavior or disable backup power protection.

Prerequisites

Network connectivity to the UPS monitoring software port
No authentication credentials required
Software accessible from attacker's network segment (internal or internet-exposed)

remotely exploitableno authentication requiredlow complexitycritical CVSS (10.0)no patch available for Voltronic productsaffects power backup systemsactively exploited status unknown but high risk

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (3)

1 with fix2 EOL

ProductAffected VersionsFix Status

Voltronic Power Viewpower: <=1.04-24215≤ 1.04-24215No fix (EOL)

Powershield NetGuard: <=1.04-22119≤ 1.04-221191.04-23292

Voltronic Power ViewPower Pro: <=2.2165≤ 2.2165No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

HOTFIXImmediately apply Powershield NetGuard patch to version 1.04-23292 or later if you use that product

WORKAROUNDFor Voltronic Power Viewpower and ViewPower Pro: isolate affected systems behind a firewall; block inbound network access to the monitoring software from untrusted networks until a fix is available

WORKAROUNDRestrict network access to UPS monitoring software to only authorized engineering workstations and management networks; do not expose to the internet

WORKAROUNDIf remote access to monitoring software is required, use a VPN with current patches and access controls; verify connected devices are also patched and trusted

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGContact Voltronic Power customer support to report the vulnerability and request guidance; vendor has not yet confirmed a timeline for fixes to Viewpower products

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Voltronic Power Viewpower: <=1.04-24215, Voltronic Power ViewPower Pro: <=2.2165. Apply the following compensating controls:

HARDENINGSegment UPS monitoring and control networks from business networks and the internet using firewalls and network isolation

CVEs (2)

CVE-2022-31491 CVE-2021-43110

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/df7e0b61-8d96-4835-ab41-7242d1b3af43