CVE-2023-6448 : Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HM

Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.

Published 2023-12-05 18:15:13

Updated 2025-01-27 21:52:49

Source Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

View at NVD, CVE.org

Products affected by CVE-2023-6448

Unitronics » Vision1210 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision1210_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision1210 » Version: N/A
Unitronics » Vision1040 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision1040_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision1040 » Version: N/A
Unitronics » Vision700 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision700_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision700 » Version: N/A
Unitronics » Vision570 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision570_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision570 » Version: N/A
Unitronics » Vision560 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision560_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision560 » Version: N/A
Unitronics » Vision430 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision430_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision430 » Version: N/A
Unitronics » Vision350 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision350_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision350 » Version: N/A
Unitronics » Vision130 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision130_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision130 » Version: N/A
Unitronics » Vision230 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision230_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision230 » Version: N/A
Unitronics » Vision280 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision280_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision280 » Version: N/A
Unitronics » Vision290 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision290_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision290 » Version: N/A
Unitronics » Vision530 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision530_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision530 » Version: N/A
Unitronics » Vision120 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:vision120_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Vision120 » Version: N/A
Unitronics » Visilogic
Versions before (<) 9.9.00
cpe:2.3:a:unitronics:visilogic:*:*:*:*:*:*:*:*
Matching versions
Unitronics » Samba 3.5 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:samba_3.5_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Samba 3.5 » Version: N/A
Unitronics » Samba 4.3 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:samba_4.3_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Samba 4.3 » Version: N/A
Unitronics » Samba 7 Firmware
Versions before (<) 12.38
cpe:2.3:o:unitronics:samba_7_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Unitronics » Samba 7 » Version: N/A

CVE-2023-6448 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Unitronics Vision PLC and HMI Insecure Default Password Vulnerability

CISA required action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA description:

Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands.

Notes:

Note that while it is possible to change the default password, implementors are encouraged to remove affected controllers from public networks and update the affected firmware: https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pd

Added on 2023-12-11 Action due date 2023-12-18

Exploit prediction scoring system (EPSS) score for CVE-2023-6448

EPSS FAQ

16.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-6448

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-6448

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

Assigned by: nvd@nist.gov (Primary)
CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

Assigned by: 9119a7d8-5eab-497f-8521-727c672e3725 (Secondary)

References for CVE-2023-6448

https://www.unitronicsplc.com/cyber_security_vision-samba/

Cyber Protection
Product
https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems

Exploitation of Unitronics PLCs used in Water and Wastewater Systems | CISA
Third Party Advisory;US Government Resource
https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf

Vendor Advisory
https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf

Release Notes

Jump to

Vulnerability Details : CVE-2023-6448