#VU84680 Improper Authentication in ViewPower - CVE-2023-51574
Vulnerability identifier: #VU84680
Vulnerability risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
ViewPower
Server applications /
SCADA systems
Vendor: Voltronic Power
Description
The vulnerability allows a remote attacker to bypass authentication.
The
vulnerability exist due to an error within the updateManagerPassword
method. A remote attacker can set a new password for the manager account
and gain unauthorized access to the application.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
ViewPower: All versions
External links
https://www.zerodayinitiative.com/advisories/ZDI-23-1880/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
