Critical UPS Software Vulnerabilities Expose Industrial Power Systems to Cyberattacks

When a system designed to keep the lights on for critical infrastructure instead risks shutting them off with a few keystrokes, alarm bells ring far beyond the server room. Such is the case with recent critical security advisories surrounding the Voltronic Power and PowerShield lines of uninterruptible power supply (UPS) monitoring software—tools integrated not only throughout commercial and manufacturing facilities but also the global energy sector. As cyberattacks on operational technology rise, the vulnerabilities disclosed in the affected Voltronic Power Viewpower, ViewPower Pro, and PowerShield NetGuard products underscore the urgency of robust cybersecurity in industrial environments.

Overview of the Vulnerabilities and Their Criticality​

Security researchers recently disclosed two severe flaws affecting Voltronic Power and PowerShield UPS management solutions. These vulnerabilities—labeled CVE-2022-31491 and CVE-2021-43110—introduce potentially catastrophic risks. According to analyses from CISA and independent commentators, they both allow unauthenticated, remote attackers to alter system configurations, disrupt UPS-connected devices, and, in some instances, execute arbitrary code directly.

CVSS Scores: What Makes These Flaws Stand Out?​

Both vulnerabilities are scored at the highest levels:

• CVE-2022-31491: Rated CVSS v4 10.0, denoting a severity that is as high as the scale allows. The flaw is categorized under CWE-749 (Exposed Dangerous Method or Function)—specifically, the UPS management software exposes dangerous privileged functions on network interfaces, accessible without authentication or authorization.
• CVE-2021-43110: This vulnerability, scored CVSS v4 9.3 and CVSS v3.1 9.8, involves forced browsing (CWE-425). Essentially, malicious actors can access sensitive administrative endpoints by directly navigating to hidden or undocumented URLs, bypassing any need for authentication.

Both vulnerabilities are remotely exploitable, have low attack complexity, and require no prior authentication or user interaction—a perfect storm from a security perspective. According to CISA, these issues are exposed in:

• Voltronic Power Viewpower versions 1.04-24215 and prior,
• Voltronic Power ViewPower Pro up to version 2.2165,
• PowerShield NetGuard version 1.04-22119 and prior.

Other derivative products using the same codebase may also be at risk.

Breaking Down the Technical Details​

1. Exposed Dangerous Method or Function (CWE-749)​

UPS monitoring software typically allows authenticated admins to run a pre-defined system command when a shutdown event is detected—ostensibly for graceful decommissioning or automation. The disaster arises because the underlying mechanism powering this feature is exposed over the network, unauthenticated. In effect, any remote attacker with network access can:

• Send crafted requests that invoke system-level commands instantly;
• Ignore any UPS device state checks;
• Achieve remote code execution with privileges of the service account hosting the management software.

CVE-2022-31491 directly maps to this flaw. The risk profile explodes when considering the software’s widespread use in critical sectors: an attacker could, for instance, issue a shutdown or power-off command to industrial systems, data centers, or hospital equipment—potentially incurring downtime, loss of data, or worse.

Attack Scenario​

Imagine an attacker deliberately sending a command to shut down multiple servers at an energy provider or manufacturing site. With no authentication required and network accessibility, the path to disruption is alarmingly short and simple. According to public technical documentation and proofs-of-concept available on platforms like GitHub, such attacks have been demonstrated with minimal prior knowledge needed, amplifying the exposure.

2. Forced Browsing (CWE-425)​

The second exposure—direct request forced browsing—reveals that administrative functions intended for privileged, authenticated users are accessible simply by crafting specific HTTP requests. No login? No problem, from an attacker’s perspective. This flaw opens the following possibilities:

• Changing the admin password for the web interface;
• Altering or viewing system configuration without authorization;
• Shutting down, restarting, or changing modes for connected UPS devices;
• Enumerating all managed UPS hardware and their critical settings.

CVE-2021-43110 details the forced browsing technique as affecting the software’s core user management and configuration logic. As with the first vulnerability, exploitation requires no prior interaction or privileges—an open invitation for cybercriminals probing industrial targets.

Context: Why UPS Monitoring Security Is Non-Negotiable​

UPS management tools once resided deep within air-gapped operational networks, interacting solely with local admins. Today, digital transformation, cloud integration, and the demand for remote oversight have made these systems network-exposed—and, sometimes, even internet-facing. While such connectivity enables efficiencies (remote maintenance, monitoring via dashboards, automation), it also multiplies the attack surface considerably.

What’s at Stake?​

Voltronic Power and PowerShield products are present in sectors classified by CISA as critical infrastructure—commercial facilities, the energy grid, and manufacturing. A single point of unauthorized remote access could:

• Disrupt industrial production lines reliant on clean, uninterruptible power;
• Bring data centers or healthcare providers offline;
• Enable lateral movement, as attackers pivot from vulnerable UPS monitors to other network assets;
• Conceivably, assist in ransomware deployment by first disabling backup power.

Notably, the affected companies—Voltronic Power (Taiwan) and PowerShield (Australia)—supply UPS management solutions worldwide, extending the impact across continents.

Root Causes: Developer Shortcomings or Legacy Constraints?​

Both vulnerabilities suggest systemic issues within the secure software development lifecycle (SDLC) for operational technology. The exposure of dangerous methods without authentication points to either legacy code inherited without proper review, or a lack of security-focused design principles—perhaps both.
In environments where OT and IT increasingly blur, failure to follow established security tenets (strong authentication, least privilege, segmented networking) leaves industrial organizations dangerously exposed. The fact that these issues existed in the latest versions up to the advisory date highlights the challenge of securing aging industrial software amid a rapidly evolving cyber threat landscape.

Vendor and Third-Party Responses: A Mixed Picture​

A crucial part of incident mitigation lies not just in vulnerability disclosure but also in vendor responsiveness and patch management.

Voltronic Power​

Despite outreach from CISA, Voltronic Power has not responded to coordinated remediation efforts, according to the advisory. At the time of writing, no vendor patch or mitigation guidance had been formally provided for Viewpower or ViewPower Pro. This silence is particularly concerning given the critical risk posture of the exposed products.

PowerShield​

In contrast, PowerShield has acknowledged the issue and released a fixed version of its NetGuard software (v1.04-23292 and later). Users are encouraged to upgrade to these fixed releases, with download and support information available directly from PowerShield.
The disparity in responsiveness underscores the challenges industrial end-users face: software provenance, patch cadence, and vendor communication should all influence procurement and resilience strategies.

Community and ICS-CERT Guidance​

Beyond vendor patches, CISA and leading industrial cybersecurity organizations urge users to take immediate, defense-in-depth steps:

• Place all industrial control system (ICS) software behind robust firewalls;
• Prohibit direct internet exposure for management interfaces;
• Implement strict network segmentation between IT and OT assets;
• Use VPNs for any required remote access, ensuring all endpoints remain fully patched;
• Regularly review network traffic for abnormal or suspicious connections to management ports.

CISA offers detailed best-practice documentation for securing ICS environments—a vital resource as organizations scramble to identify, segment, and secure their Voltronic Power and PowerShield deployments.

Critical Analysis: Strengths, Risks, and Where the Industry Must Improve​

Strengths​

• Transparency: CISA’s prompt disclosure and detailed advisories enhance situational awareness and guide defenders and risk managers in practical mitigation.
• Community Initiative: The fact that an anonymous researcher disclosed these issues to CISA exemplifies the crucial role of the security research community, especially where vendor cooperation is lacking.
• PowerShield’s Patch: PowerShield’s timely release of fixed NetGuard builds demonstrates security maturity and respect for customer risk posture.

Risks and Shortcomings​

• Vendor Inertia: With Voltronic Power unresponsive, a significant installed base remains exposed for the foreseeable future. Unpatched systems may remain operational for years in mission-critical environments due to upgrade difficulties, procurement cycles, or loss of vendor support.
• Public Exploitation Window: No known attacks targeting these vulnerabilities have been detected to date, but the existence of detailed advisories and some released proof-of-concept code all but guarantees eventual exploitation in the wild.
• Legacy and Derivative Risk: Many bespoke or branded UPS management solutions are based on Voltronic’s core software. Without a full software bill of materials (SBOM) and transparency from resellers, organizations may struggle to assess their exposure.
• Attack Surface Expansion: As more ICS systems gain remote access features for legitimate business motives, their risk profiles rise. Even third-party managed service providers (MSPs) tasked with ICS network oversight could be exposed if they rely on outdated or unpatched software.

Industry Gaps​

The current state of many OT software products (including those for UPS monitoring) reflects a lag in adopting IT security best practices such as:

• Default-deny (least privilege) architectures;
• Hardened APIs with consistent authentication and authorization;
• Secure development lifecycles with mandatory code reviews and third-party audits;
• Mandatory vulnerability disclosure programs with clear commitment to rapid remediation.

Essentially, the operational reliability that UPS monitoring software is supposed to secure is undermined if those systems themselves are vectors for attack.

Mitigations and Defensive Strategies​

Given the ongoing risk, organizations using affected products should adopt layered, proactive defense measures—regardless of vendor patch status.

Immediate Steps​

• Asset Inventory: Identify every instance of Voltronic Power Viewpower, ViewPower Pro, and PowerShield NetGuard running on the network. Include derivative builds from third-party vendors using the same core software.
• Patch Management: Upgrade any PowerShield NetGuard deployments to v1.04-23292 or newer. For Voltronic Power products, continue to monitor for vendor advisories but assume no immediate fix.
• Network Hardening: Ensure that no UPS management software interfaces are directly accessible via the internet. Restrict all inbound access to trusted administrative workstations. Use application-layer gateways or jump servers as needed.
• Segmentation: Place all industrial monitoring software in tightly controlled VLANs, separated from core IT or business infrastructure.
• Monitoring and Detection: Configure security monitoring tools (IDS/IPS, SIEM) to detect anomalous HTTP traffic or command invocation attempts targeting UPS management hosts.

Long-Term Recommendations​

• Vendor engagement: Pressure software suppliers, including both OEMs and MSPs, for up-to-date SBOMs and robust patch communications.
• ICS-Specific Security Audits: Schedule regular red- and blue-team exercises to test for lateral movement potential via UPS or other management ports. Simulate real-world attack scenarios based on disclosed vulnerabilities.
• User Education: Train all relevant personnel on phishing and social engineering, as attackers often use such tactics for initial access before pivoting to vulnerable software.
• Incident Preparedness: Develop and rehearse business continuity plans that assume the compromise of UPS management systems, including backup power cycling scenarios and failover mechanisms.

Conclusions: Lessons for Every Industrial Organization​

The Voltronic Power and PowerShield vulnerabilities are not merely the story of two vendors’ software defects—they encapsulate the broader challenge facing industrial and OT cybersecurity in an era of converged, interconnected infrastructure. As attackers increasingly target weak links in the chain—whether for extortion, disruption, or reconnaissance—every organization must assess both technology and process against the inevitability of software flaws.
Key lessons include:

• Treat every ICS or OT component as a potential cyberattack vector, regardless of its perceived function or age.
• Demand timely patching, transparent disclosure, and verifiable security architecture from technology partners.
• Assume that attackers will exploit the path of least resistance—often found in peripheral systems like UPS monitors—so holistic, layered defenses are non-negotiable.

In the absence of a holistic industry shift toward secure-by-design principles for operational technology, organizations must be prepared to overcompensate with vigilant network engineering, proactive defense, and relentless vendor accountability. Only then can the promise of always-on infrastructure be reconciled with the realities of relentless, evolving cyber threats.

---

Source: CISA Voltronic Power and PowerShield UPS Monitoring Software | CISA