CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
92.1%
Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.
Recent assessments:
cbeek-r7 at December 13, 2023 10:51am UTC reported:
The Cybersecurity and Infrastructure Security Agency (CISA) is actively addressing a situation involving the unauthorized use of Unitronics programmable logic controllers (PLCs), specifically in the Water and Wastewater Systems (WWS) Sector. These PLCs, vital for water treatment processes, have been compromised by cyber attackers, particularly targeting a specific Unitronics PLC at a water facility in the United States. In reaction, the local water authority responsible for the facility promptly disconnected the compromised system from their network and reverted to manual operations. Fortunately, there is no immediate threat to the communityβs drinking water or overall water supply.
Unauthorized access and efforts to breach the security of WWS systems pose a significant risk. Such actions can disrupt the provision of clean drinking water and the efficient treatment of wastewater in affected communities.
The cybercriminals in this instance seemingly gained access to the targeted device, a Unitronics Vision Series PLC equipped with a Human Machine Interface (HMI), by exploiting cybersecurity vulnerabilities. These vulnerabilities include inadequate password security measures and the PLCβs exposure to the internet.
By default the Unitronics PLC default password = β1111β
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6448
downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf
downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf
www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems
www.unitronicsplc.com/cyber_security_vision-samba/
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
92.1%