CVE-2023-22804 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2023-22804?

CVE-2023-22804 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows unauthenticated attackers to create administrative accounts on LS ELECTRIC XBC-DN32U PLCs running OS version 01.80. Attackers can gain full control of affected industrial control devices, potentially disrupting operations or causing physical damage. Organizations using these specific PLCs are at risk.

📋 TL;DR

This vulnerability allows unauthenticated attackers to create administrative accounts on LS ELECTRIC XBC-DN32U PLCs running OS version 01.80. Attackers can gain full control of affected industrial control devices, potentially disrupting operations or causing physical damage. Organizations using these specific PLCs are at risk.

💻 Affected Systems

Products:

LS ELECTRIC XBC-DN32U Programmable Logic Controller

Versions: Operating system version 01.80

Operating Systems: LS ELECTRIC proprietary PLC OS

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with the vulnerable OS version are affected regardless of configuration.

📦 What is this software?

Xbc Dn32u Firmware by Ls Electric

View all CVEs affecting Xbc Dn32u Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to physical damage, production shutdowns, safety system manipulation, or environmental harm.

🟠

Likely Case

Unauthorized access to PLCs allowing configuration changes, logic manipulation, or denial of service affecting industrial processes.

🟢

If Mitigated

Limited impact if network segmentation prevents access to PLCs and monitoring detects unauthorized account creation attempts.

🌐 Internet-Facing: HIGH - Direct internet exposure allows remote attackers to exploit without any authentication.

🏢 Internal Only: HIGH - Even internally, any network access to these devices allows privilege escalation without credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No authentication required makes exploitation trivial for anyone with network access to the device.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to version 01.81 or later

Vendor Advisory: https://www.lselectric.com/security-advisories

Restart Required: Yes

Instructions:

1. Download firmware update from LS ELECTRIC support portal. 2. Backup current PLC program. 3. Apply firmware update via programming software. 4. Restart PLC. 5. Verify new firmware version.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate PLCs in separate network segments with strict firewall rules preventing external and unnecessary internal access.

Access Control Lists

all

Implement network ACLs to restrict access to PLC management interfaces to authorized IP addresses only.

🧯 If You Can't Patch

Implement strict network segmentation with industrial DMZ architecture
Deploy intrusion detection systems monitoring for unauthorized account creation attempts

🔍 How to Verify

Check if Vulnerable:

Check PLC OS version via programming software or web interface. If version is 01.80, device is vulnerable.

Check Version:

Use LS ELECTRIC XG5000 programming software to read PLC system information

Verify Fix Applied:

After update, verify OS version shows 01.81 or later and test that user creation requires authentication.

📡 Detection & Monitoring

Log Indicators:

Unexpected user account creation events
Authentication bypass attempts
Multiple failed login attempts followed by successful access

Network Indicators:

Unauthorized access to PLC management ports (typically 502/TCP Modbus, 80/443 HTTP/HTTPS)
Network traffic to PLCs from unexpected sources

SIEM Query:

source="plc_logs" AND (event="user_created" OR event="auth_bypass")

📊 Metadata

CVE ID: CVE-2023-22804

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-306

Published: February 15, 2023

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-02 Third Party Advisory,US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-02 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22804, you might also want to check these: