cbcvebase.
CVE-2023-6448
published 2023-12-05

CVE-2023-6448: Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-12-18
Exploited in the wild
EPSS
2.09%
79.3th percentile
Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.

Affected

17 ranges
VendorProductVersion rangeFixed in
unitronicssamba_3.5_firmware< 12.3812.38
unitronicssamba_4.3_firmware< 12.3812.38
unitronicssamba_7_firmware< 12.3812.38
unitronicsvisilogic< 9.9.009.9.00
unitronicsvision1040_firmware< 12.3812.38
unitronicsvision120_firmware< 12.3812.38
unitronicsvision1210_firmware< 12.3812.38
unitronicsvision130_firmware< 12.3812.38
unitronicsvision230_firmware< 12.3812.38
unitronicsvision280_firmware< 12.3812.38
unitronicsvision290_firmware< 12.3812.38
unitronicsvision350_firmware< 12.3812.38
unitronicsvision430_firmware< 12.3812.38
unitronicsvision530_firmware< 12.3812.38
unitronicsvision560_firmware< 12.3812.38
unitronicsvision570_firmware< 12.3812.38
unitronicsvision700_firmware< 12.3812.38

Detection & IOCsextracted from sources · hover to see the quote

portTCP 20256
other1111
  • Monitor for network probing and connections on TCP port 20256, the default PCOM/TCP port for Unitronics PLCs; attackers actively scan for and target this port to identify and interact with vulnerable devices.
  • Use PCOM/TCP packet filtering to detect and parse out exploit traffic targeting Unitronics PLCs on TCP 20256.
  • Alert on any unauthenticated administrative access attempts to Unitronics Vision/Samba PLCs and HMIs, particularly those still using the default password '1111'.
  • ·Exploitation is confirmed in the wild; CISA has added this to the Known Exploited Vulnerabilities catalog with a remediation due date of 2023-12-18, indicating active, targeted attacks against this default credential weakness.
  • ·Attackers use scripts specific to the PCOM/TCP protocol to query and validate vulnerable Unitronics systems before further exploitation; detection should account for PCOM/TCP protocol-level interactions, not just port-level traffic.
  • ·PCOM-enabled sockets must have passwords explicitly set; they are not protected by default, representing an additional attack surface beyond the administrative password.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.