CVE-2023-6448 Overview
CVE-2023-6448 is a critical Hardcoded Credentials vulnerability affecting Unitronics VisiLogic before version 9.9.00, which is used in Vision and Samba PLCs (Programmable Logic Controllers) and HMIs (Human-Machine Interfaces). The vulnerability stems from the use of a default administrative password, allowing an unauthenticated attacker with network access to take complete administrative control of vulnerable systems.
This vulnerability is particularly concerning as it affects industrial control systems commonly deployed in critical infrastructure sectors, including water and wastewater treatment facilities. CISA has issued alerts regarding active exploitation of these devices in real-world attacks targeting critical infrastructure.
Critical Impact
Unauthenticated attackers can gain full administrative control over industrial control systems using default credentials, potentially disrupting critical infrastructure operations including water treatment facilities.
Affected Products
- Unitronics VisiLogic (versions before 9.9.00)
- Unitronics Vision Series PLCs (Vision120, Vision130, Vision230, Vision280, Vision290, Vision350, Vision430, Vision530, Vision560, Vision570, Vision700, Vision1040, Vision1210)
- Unitronics Samba Series HMIs (Samba 3.5, Samba 4.3, Samba 7)
Discovery Timeline
- December 5, 2023 - CVE-2023-6448 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2023-6448
Vulnerability Analysis
This vulnerability is classified under CWE-1188 (Insecure Default Initialization of Resource) and CWE-798 (Use of Hard-coded Credentials). The root issue lies in Unitronics VisiLogic's authentication mechanism, which ships with a default administrative password that many operators fail to change after deployment.
The vulnerability allows attackers to authenticate to affected PLCs and HMIs without requiring any prior knowledge of custom credentials. Once authenticated, attackers gain full administrative access to the device, enabling them to modify PLC logic, alter operational parameters, disrupt industrial processes, or use the compromised device as a pivot point for further network intrusion.
This is particularly dangerous in operational technology (OT) environments where PLCs directly control physical processes. Water treatment facilities, manufacturing plants, and other critical infrastructure often rely on these devices for automated process control.
Root Cause
The vulnerability exists because Unitronics VisiLogic software utilizes a well-known default administrative password that remains unchanged in many deployments. The software does not enforce password changes during initial setup or provide adequate warnings about the security implications of retaining default credentials.
Industrial control systems are frequently deployed with default configurations and may remain in production environments for extended periods without security updates. The combination of default credentials and network accessibility creates a trivial exploitation path for attackers.
Attack Vector
Exploitation of CVE-2023-6448 requires network access to the affected PLC or HMI. Attackers can connect to exposed devices over the network (typically via Modbus/TCP on port 502 or other proprietary protocols) and authenticate using the default administrative password. No user interaction or special privileges are required.
In many cases, these devices are inadvertently exposed to the internet or are accessible from less-secured network segments. Attackers have been observed scanning for exposed Unitronics devices and leveraging default credentials to gain unauthorized access. Once authenticated, the attacker has full control over the device's configuration and operation.
The attack does not require sophisticated technical knowledge—automated tools can scan for and exploit devices using default credentials at scale.
Detection Methods for CVE-2023-6448
Indicators of Compromise
- Unexpected authentication attempts to Unitronics PLCs or HMIs from unfamiliar IP addresses
- Unauthorized changes to PLC programming logic or configuration parameters
- Unusual network traffic to/from port 502 (Modbus/TCP) or Unitronics proprietary ports
- Anti-Israel or hacktivist-themed messages displayed on HMI screens (observed in real-world attacks)
Detection Strategies
- Deploy network monitoring to detect connections to Unitronics devices from unauthorized sources
- Implement asset inventory to identify all Unitronics Vision and Samba devices on the network
- Monitor for authentication events and configuration changes on PLC/HMI devices
- Use threat intelligence feeds to identify known malicious IP addresses targeting industrial control systems
Monitoring Recommendations
- Enable logging on all network devices between IT and OT networks to capture connection attempts
- Implement network segmentation monitoring to detect lateral movement attempts toward OT environments
- Configure alerts for any remote access to PLCs outside of scheduled maintenance windows
- Regularly audit device configurations to detect unauthorized modifications
How to Mitigate CVE-2023-6448
Immediate Actions Required
- Change the default administrative password on all Unitronics Vision and Samba devices immediately
- Upgrade Unitronics VisiLogic to version 9.9.00 or later, which addresses the default password issue
- Disconnect affected devices from the internet and place behind properly configured firewalls
- Implement network segmentation to isolate OT devices from IT networks and the internet
Patch Information
Unitronics has released VisiLogic version 9.9.00 which addresses this vulnerability. Organizations should upgrade to this version or later as soon as possible. Refer to the Unitronics Cybersecurity Advisory 2023-001 for official guidance from the vendor.
Additional guidance is available from CISA's alert on Unitronics PLC exploitation, which provides sector-specific recommendations for water and wastewater facilities.
Workarounds
- If immediate patching is not possible, change default passwords on all devices as a minimum protective measure
- Implement network-level access controls to restrict access to PLCs to authorized IP addresses only
- Use VPN or other secure remote access solutions instead of direct internet exposure
- Enable multi-factor authentication where supported for remote access to OT networks
# Network segmentation example - restrict access to PLC network
# Firewall rule to allow only authorized management stations
iptables -A INPUT -s 192.168.10.0/24 -d 192.168.50.0/24 -p tcp --dport 502 -j ACCEPT
iptables -A INPUT -d 192.168.50.0/24 -p tcp --dport 502 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
