cbcvebase.
CVE-2023-40151
published 2023-11-21

CVE-2023-40151: When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.15%
62.9th percentile
When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.

Affected

12 ranges
VendorProductVersion rangeFixed in
red_lion_controlsst-ipm-6350
red_lion_controlsst-ipm-8460
red_lion_controlsvt-ipm2m-113-d
red_lion_controlsvt-ipm2m-213-d
red_lion_controlsvt-mipm-135-d
red_lion_controlsvt-mipm-245-d
redlioncontrolsst-ipm-6350_firmware
redlioncontrolsst-ipm-8460_firmware
redlioncontrolsvt-ipm2m-113-d_firmware
redlioncontrolsvt-ipm2m-213-d_firmware
redlioncontrolsvt-mipm-135-d_firmware
redlioncontrolsvt-mipm-245-d_firmware

Detection & IOCsextracted from sources · hover to see the quote

portTCP/1594
  • Detect unauthenticated Sixnet UDR messages arriving over TCP/IP (port 1594) — the RTU accepts these with no authentication challenge, unlike UDP/IP which enforces authentication. Alert on TCP connections to port 1594 on affected RTU devices.
  • Monitor for Sixnet UDR protocol traffic over TCP port 1594 to Red Lion SixTRAK/VersaTRAK RTUs; legitimate deployments should only use UDP/IP for UDR with authentication enabled.
  • Alert on shell command execution at highest privilege level on affected RTUs when user authentication is not enabled (CWE-749 — Exposed Dangerous Method or Function).
  • ·CVE-2023-40151 affects Red Lion SixTRAK and VersaTRAK RTUs across multiple firmware versions; exploitation is only possible when user authentication is NOT enabled. Ensure UDR-A (authenticated users) mode is active.
  • ·The authentication bypass via TCP/IP (CVE-2023-42770, co-reported in the same advisory) affects devices even when authenticated users ARE enabled (UDR-A), because the TCP path skips the challenge entirely. Both CVEs share the same attack vector and should be remediated together.
  • ·Patch filenames differ by device family: ST-IPm-8460 uses '8313_patch1_tcp_udr_all_blocked.tar.gz', while ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D use '855_patch1_tcp_udr_all_blocked.tar.gz'. Applying the wrong patch to the wrong device family may leave the vulnerability unmitigated.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_oracle7.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.