CVE-2022-43110
Published: 22 August 2025
Summary
CVE-2022-43110 is a critical-severity Improper Access Control (CWE-284) vulnerability in Cisa (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, ranked at the 49.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to the web interface, preventing unauthenticated remote changes to admin passwords, system configurations, UPS controls, and OS commands.
Explicitly identifies and authorizes only safe actions without identification or authentication, prohibiting critical configuration modifications by unauthenticated attackers.
Remediates the specific improper access control flaw in ViewPower and PowerShield Netguard by applying vendor patches such as version 1.04-21353 or later.
NVD Description
Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password,…
more
view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down.
Deeper analysisAI
CVE-2022-43110 affects Voltronic Power ViewPower through version 1.04-21353 and PowerShield Netguard before version 1.04-23292. The vulnerability resides in an unspecified web interface that allows a remote attacker to configure the system without authentication. This improper access control issue, mapped to CWE-284, CWE-306, and CWE-425, enables unauthorized modifications to critical system settings.
An unauthenticated remote attacker with network access can exploit this vulnerability due to its low complexity and no required privileges, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows the attacker to change the web interface admin password, view and modify system configuration, enumerate connected UPS devices, shut down those devices, and configure operating system commands to execute upon detection of a connected UPS shutdown, potentially leading to high impacts on confidentiality, integrity, and availability.
Advisories including CISA ICSA-25-182-05 and the Ready2Disclose report at ready2disclose.com/vpow-31491-43110 detail mitigation strategies for this vulnerability. Security practitioners should consult these references for specific patch information, such as upgrading to ViewPower 1.04-21353 or later and PowerShield Netguard 1.04-23292 or later, along with network segmentation and access controls for affected systems.
Details
- CWE(s)