CVE-2023-6448
published 2023-12-05CVE-2023-6448: Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-12-18
Exploited in the wild
EPSS
2.09%
79.3th percentile
Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| unitronics | samba_3.5_firmware | < 12.38 | 12.38 |
| unitronics | samba_4.3_firmware | < 12.38 | 12.38 |
| unitronics | samba_7_firmware | < 12.38 | 12.38 |
| unitronics | visilogic | < 9.9.00 | 9.9.00 |
| unitronics | vision1040_firmware | < 12.38 | 12.38 |
| unitronics | vision120_firmware | < 12.38 | 12.38 |
| unitronics | vision1210_firmware | < 12.38 | 12.38 |
| unitronics | vision130_firmware | < 12.38 | 12.38 |
| unitronics | vision230_firmware | < 12.38 | 12.38 |
| unitronics | vision280_firmware | < 12.38 | 12.38 |
| unitronics | vision290_firmware | < 12.38 | 12.38 |
| unitronics | vision350_firmware | < 12.38 | 12.38 |
| unitronics | vision430_firmware | < 12.38 | 12.38 |
| unitronics | vision530_firmware | < 12.38 | 12.38 |
| unitronics | vision560_firmware | < 12.38 | 12.38 |
| unitronics | vision570_firmware | < 12.38 | 12.38 |
| unitronics | vision700_firmware | < 12.38 | 12.38 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for network probing and connections on TCP port 20256, the default PCOM/TCP port for Unitronics PLCs; attackers actively scan for and target this port to identify and interact with vulnerable devices. ↗
- →Use PCOM/TCP packet filtering to detect and parse out exploit traffic targeting Unitronics PLCs on TCP 20256. ↗
- →Alert on any unauthenticated administrative access attempts to Unitronics Vision/Samba PLCs and HMIs, particularly those still using the default password '1111'. ↗
- ·Exploitation is confirmed in the wild; CISA has added this to the Known Exploited Vulnerabilities catalog with a remediation due date of 2023-12-18, indicating active, targeted attacks against this default credential weakness. ↗
- ·Attackers use scripts specific to the PCOM/TCP protocol to query and validate vulnerable Unitronics systems before further exploitation; detection should account for PCOM/TCP protocol-level interactions, not just port-level traffic. ↗
- ·PCOM-enabled sockets must have passwords explicitly set; they are not protected by default, representing an additional attack surface beyond the administrative password. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Unitronics Vision and Samba Series (Update A)
cisa_ics·2024-01-04·CVSS 9.8
[CRITICAL] Unitronics Vision and Samba Series (Update A)
ICS Advisory
##
Unitronics Vision and Samba Series (Update A)
Last RevisedJanuary 04, 2024
Alert CodeICSA-23-348-15
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
- Vendor: Unitronics
- Equipment: Vision Series, Samba Series
- Vulnerability: Initialization of a Resource with an Insecure Default
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated attacker to take administrative control of Unitronics Vision and Samba series systems and use a default administrative password.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following Unitronics products are affected:
- VisiLogic: Versions prio
CISA
Unitronics Vision PLC and HMI Insecure Default Password Vulnerability
cisa·2023-12-11·CVSS 9.8
CVE-2023-6448 [CRITICAL] CWE-1188 Unitronics Vision PLC and HMI Insecure Default Password Vulnerability
Vulnerability: Unitronics Vision PLC and HMI Insecure Default Password Vulnerability
Affected: Unitronics Vision PLC and HMI
Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: Note that while it is possible to change the default password, implementors are encouraged to remove affected controllers from public networks and update the affected firmware: https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf; https://nvd.nist.gov/vuln/detail/CVE-2023-6448
Remediation Due Date: 2023-12-18
GHSA
GHSA-3r8p-3x67-72v8: Unitronics Vision Series PLCs and HMIs use default administrative passwords
ghsa_unreviewed·2023-12-05
CVE-2023-6448 [CRITICAL] CWE-1188 GHSA-3r8p-3x67-72v8: Unitronics Vision Series PLCs and HMIs use default administrative passwords
Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system.
VulnCheck
Unitronics Vision PLC and HMI Insecure Default Password Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-6448 [CRITICAL] CWE-1188 Unitronics Vision PLC and HMI Insecure Default Password Vulnerability
Unitronics Vision PLC and HMI Insecure Default Password Vulnerability
Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands.
Affected: Unitronics Vision PLC and HMI
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems; https://www.securityweek.com/cisa-warns-of-unitronics-plc-exploitation-following-water-utility-hack/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.greynoise.io/resources/2023-greynoise-retrospective-internet-exploitat
No detection rules found.
No public exploits indexed.
https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdfhttps://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdfhttps://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systemshttps://www.unitronicsplc.com/cyber_security_vision-samba/https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdfhttps://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdfhttps://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systemshttps://www.unitronicsplc.com/cyber_security_vision-samba/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6448
2023-12-05
Published
2023-12-11
Added to CISA KEV
Exploited in the wild