Voltronic Power ViewPower and PowerShield NetGuard Unauthenticated Remote Configuration Vulnerability

A vulnerability in Voltronic Power ViewPower through 1.04-21353 and PowerShield NetGuard prior to 1.04-23292 allows unauthenticated remote attackers to make unauthorized configuration changes via an unspecified web interface. Affected users can change the admin password, modify system settings, enumerate and shut down connected UPS devices, and execute operating system commands in response to UPS shutdown events.

Impact

Exploitation of this vulnerability could lead to unauthorized configuration changes on the affected system, including the shutdown of connected UPS devices and the execution of arbitrary operating system commands.

Reproduction

The vulnerability can be reproduced by accessing the web interface of the affected Voltronic Power ViewPower or PowerShield NetGuard software versions. No authentication is required, allowing an attacker to directly make changes to the system. This includes altering the admin password, modifying system configurations, managing connected UPS devices, and executing commands based on UPS shutdown signals.

Remediation

Users of PowerShield NetGuard should update to version 1.04-23292 or later. For Voltronic Power ViewPower or ViewPower Pro, no official patch is available, and users are advised to contact Voltronic Power customer support for assistance.