CVE-2023-2003
📋 TL;DR
This vulnerability allows remote attackers to inject and execute malicious code on Unitronics Vision1210 PLCs by storing base64-encoded payloads in device data tables via the PCOM protocol. Affected systems are Vision1210 devices running operating system version 4.3 build 5, primarily used in industrial control and automation environments.
💻 Affected Systems
- Unitronics Vision1210 Programmable Logic Controller
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to physical damage, production shutdowns, safety system manipulation, or data exfiltration from operational technology networks.
Likely Case
Unauthorized code execution allowing attackers to modify PLC logic, disrupt industrial processes, or establish persistence in OT networks for further attacks.
If Mitigated
Limited impact if proper network segmentation, protocol filtering, and access controls prevent external PCOM protocol access to vulnerable devices.
🎯 Exploit Status
Exploitation requires only network access to the PCOM service (typically port 20256/TCP) with no authentication. Public proof-of-concept demonstrates the attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Operating System version 4.4 or later
Vendor Advisory: https://www.unitronicsplc.com/Download/SoftwareUtilities/Vision1210_OS_4.4_Release_Notes.pdf
Restart Required: Yes
Instructions:
1. Download OS version 4.4 or later from Unitronics website. 2. Backup current PLC program. 3. Upload new OS to Vision1210 via programming software. 4. Restart device. 5. Restore program if needed.
🔧 Temporary Workarounds
Network Segmentation and Access Control
allIsolate Vision1210 devices in dedicated OT network segments and restrict PCOM protocol access to authorized engineering stations only.
Firewall PCOM Protocol Blocking
allBlock external access to PCOM protocol (typically port 20256/TCP) at network perimeter and between IT/OT zones.
iptables -A INPUT -p tcp --dport 20256 -j DROP
netsh advfirewall firewall add rule name="Block PCOM" dir=in action=block protocol=TCP localport=20256
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Vision1210 devices from untrusted networks
- Deploy industrial firewall or ACLs to restrict PCOM protocol access to specific authorized IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check OS version in Vision1210 programming software: Connect to device and view System Information. If OS is version 4.3 build 5, device is vulnerable.Check Version:
Use Unitronics VisiLogic software: Connect to PLC → Project → Information → System Information tabVerify Fix Applied:
After updating, verify OS version shows 4.4 or later in System Information. Test that PCOM protocol functions normally for legitimate engineering access.📡 Detection & Monitoring
Log Indicators:
- Unusual PCOM protocol connections from unauthorized IP addresses
- Multiple failed connection attempts followed by successful PCOM access
- Unexpected PLC program modifications or downloads
Network Indicators:
- PCOM protocol traffic (port 20256/TCP) from unexpected sources
- Base64-encoded data in PCOM communications
- Unusual network patterns to/from Vision1210 devices
SIEM Query:
source_port=20256 OR dest_port=20256 | stats count by src_ip, dest_ip | where count > threshold🔗 References
- https://www.hackplayers.com/2023/07/vulnerabilidad-vision1210-unitronics.html
- https://www.incibe.es/en/incibe-cert/notices/aviso-sci/embedded-malicious-code-vulnerability-unitronics-vision1210
- https://www.hackplayers.com/2023/07/vulnerabilidad-vision1210-unitronics.html
- https://www.incibe.es/en/incibe-cert/notices/aviso-sci/embedded-malicious-code-vulnerability-unitronics-vision1210
