CVE-2023-6448
📋 TL;DR
CVE-2023-6448 allows unauthenticated attackers with network access to take administrative control of Unitronics Vision and Samba PLCs and HMIs by exploiting a default administrative password. Organizations using Unitronics VisiLogic software before version 9.9.00 are affected, particularly critical infrastructure sectors like water and wastewater systems.
💻 Affected Systems
- Unitronics Vision PLCs
- Unitronics Samba PLCs
- Unitronics HMIs
📦 What is this software?
Samba 7 Firmware by Unitronics
Visilogic by Unitronics
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to physical damage, production shutdown, safety hazards, or environmental contamination
Likely Case
Unauthorized access to PLC/HMI systems allowing manipulation of industrial processes, data theft, or ransomware deployment
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access
🎯 Exploit Status
Active exploitation has been observed in the wild, particularly against water and wastewater systems. Attackers only need network access to the device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: VisiLogic 9.9.00
Vendor Advisory: https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf
Restart Required: Yes
Instructions:
1. Download VisiLogic 9.9.00 from Unitronics website. 2. Install the update on programming computers. 3. Upload updated programs to all affected PLCs/HMIs. 4. Restart affected devices. 5. Change all default passwords after update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLC/HMI networks from corporate and internet networks using firewalls
Access Control Lists
allImplement strict network access controls to limit connections to PLC/HMI devices
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to block all unnecessary access to PLC/HMI devices
- Monitor network traffic for unauthorized access attempts and implement intrusion detection systems
🔍 How to Verify
Check if Vulnerable:
Check VisiLogic software version on programming computers. If version is below 9.9.00, systems are vulnerable.Check Version:
Open VisiLogic software and check Help → About for version numberVerify Fix Applied:
Verify VisiLogic version is 9.9.00 or higher and test that default password no longer provides administrative access📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login
- Unauthorized configuration changes
- Multiple login attempts from unusual IP addresses
Network Indicators:
- TCP port 20256 access attempts
- Unauthorized Modbus/TCP traffic
- Traffic from external networks to PLC devices
SIEM Query:
source="plc_network" AND (event_type="authentication" AND result="success" AND user="admin") OR (destination_port=20256 AND source_ip NOT IN allowed_ips)🔗 References
- https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf
- https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf
- https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems
- https://www.unitronicsplc.com/cyber_security_vision-samba/
- https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf
- https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf
- https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems
- https://www.unitronicsplc.com/cyber_security_vision-samba/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6448
