Login Sign Up

CVE-2023-51595

9.8 CRITICAL
Remote Code Execution SQL Injection

📋 TL;DR

This is an unauthenticated SQL injection vulnerability in Voltronic Power ViewPower Pro that allows remote attackers to execute arbitrary code. Attackers can exploit this without credentials to run code with LOCAL SERVICE privileges. All installations of affected ViewPower Pro versions are vulnerable.

💻 Affected Systems

Products:
  • Voltronic Power ViewPower Pro
Versions: Specific versions not detailed in advisory; all versions with vulnerable selectDeviceListBy method
Operating Systems: Windows (based on LOCAL SERVICE context)
Default Config Vulnerable: ⚠️ Yes
Notes: Authentication not required; default installations are vulnerable. Exact version ranges not specified in available references.

📦 What is this software?

Viewpower by Voltronicpower

View all CVEs affecting Viewpower →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution as LOCAL SERVICE, potentially leading to lateral movement, data theft, or ransomware deployment.

🟠

Likely Case

Remote code execution leading to system compromise, data exfiltration, or installation of backdoors/malware.

🟢

If Mitigated

Attack blocked at network perimeter; no impact if system is properly isolated and patched.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation with critical CVSS score of 9.8 makes internet-facing systems immediate targets.
🏢 Internal Only: HIGH - Even internally, unauthenticated exploitation allows attackers with network access to compromise systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection to RCE chain is well-documented; unauthenticated access makes exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in references

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-1897/

Restart Required: Yes

Instructions:

1. Contact Voltronic Power for patch information 2. Apply latest security updates 3. Restart affected services 4. Verify patch application

🔧 Temporary Workarounds

Network Segmentation

all

Isolate ViewPower Pro systems from untrusted networks

Firewall Rules

all

Restrict access to ViewPower Pro ports to authorized IPs only

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access
  • Deploy web application firewall (WAF) with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running Voltronic Power ViewPower Pro; test for SQL injection in selectDeviceListBy endpoint

Check Version:

Check application version through admin interface or vendor documentation

Verify Fix Applied:

Verify patch version from vendor; test that SQL injection attempts no longer succeed

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in application logs
  • Multiple failed authentication attempts to selectDeviceListBy endpoint
  • Unexpected process execution as LOCAL SERVICE

Network Indicators:

  • SQL injection patterns in HTTP requests to ViewPower Pro
  • Unusual outbound connections from ViewPower Pro system

SIEM Query:

source="viewpower" AND ("selectDeviceListBy" OR sql_injection_patterns)

📊 Metadata

CVE ID: CVE-2023-51595
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: May 3, 2024
Last Updated: July 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51595, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)