CVE-2023-6448

unknown KEV

Published 2023-12-11 · Modified 2023-12-11

CVSS v3

—

CVSS v2

—

VIR risk

1.5

Description

Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands.

CISA KEV

Vendor: Unitronics
Product: Vision PLC and HMI
Due date: 2023-12-18

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — Note that while it is possible to change the default password, implementors are encouraged to remove affected controllers from public networks and update the affected firmware: https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf; https://nvd.nist.gov/vuln/detail/CVE-2023-6448

Exploits

References

Note that while it is possible to change the default password, implementors are encouraged to remove affected controllers from public networks and update the affected firmware: https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf; https://nvd.nist.gov/vuln/detail/CVE-2023-6448

Verify integrity in audit chain (admin only). AS-IS.