CVE-2023-6448
Published on December 5, 2023

Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.

NVD

Known Exploited Vulnerability

This Unitronics Vision PLC and HMI Insecure Default Password Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands.

The following remediation steps are recommended / required by December 18, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2023-6448 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Use of Hard-coded Credentials

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Products Associated with CVE-2023-6448

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-6448 are published in these products:

What versions are vulnerable to CVE-2023-6448?