Home / Vulnerabilities / CVE-2023-6448
CRITICAL SEVERITY
CVE-2023-6448Unitronics · Vision PLC and HMI

Unitronics Vision PLC and HMI Insecure Default Password Vulnerability

Technical Severity

CVSS v3.1 Metrics

CRITICAL
9.8 / 10
Minimal Risk Critical
Vector Specification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Likelihood

EPSS Prediction

13.29 %
Predictive Probability
Percentile Rank
94.1 th

Documented as more likely to be exploited than 94.1% of known CVEs.

Detection Date

Dec 11, 2023

Remediation Due

Dec 18, 2023

CISA Catalog Active

Threat Analysis

Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands.

Remediation Directive

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

External Intelligence

Note that while it is possible to change the default password, implementors are encouraged to remove affected controllers from public networks and update the affected firmware:

https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf

NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2023-6448