Unitronics Vision PLC and HMI Insecure Default Password Vulnerability

Technical Severity

CVSS v3.1 Metrics

CRITICAL

9.8 / 10

Minimal Risk Critical

Vector Specification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Likelihood

EPSS Prediction

13.29 %

Predictive Probability

Percentile Rank

94.0 th

Documented as more likely to be exploited than 94.0% of known CVEs.

Detection Date

Dec 11, 2023

Remediation Due

Dec 18, 2023

CISA Catalog Active

Threat Analysis

Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands.

Remediation Directive

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Asset Context

Vendor Identity

Unitronics

Affected Product

Vision PLC and HMI

Ransomware Status

Campaign Use Unknown

Weakness Classification

CWE-1188

External Intelligence

Note that while it is possible to change the default password, implementors are encouraged to remove affected controllers from public networks and update the affected firmware:

https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf

NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2023-6448