CVE-2023-6448

Published: Dec 5, 2023Modified: Feb 26, 2026CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.

Affected (17)

Products: Unitronics: Vision1210 Firmware, Vision1040 Firmware, Vision700 Firmware, Vision570 Firmware, Vision560 Firmware, Vision430 Firmware, Vision350 Firmware, Vision130 Firmware, Vision230 Firmware, Vision280 Firmware, Vision290 Firmware, Vision530 Firmware, Vision120 Firmware, Visilogic, Samba 3.5 Firmware, Samba 4.3 Firmware, Samba 7 Firmware

17 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision1210 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision1210	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision1040 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision1040	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision700 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision700	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision570 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision570	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision560 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision560	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision430 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision430	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision350 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision350	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision130 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision130	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision230 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision230	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision280 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision280	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision290 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision290	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision530 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision530	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Vision120 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Vision120	All versions

Configuration N

1 vulnerable

Vulnerable Software	Affected Versions
Unitronics Visilogic	Before 9.9.00

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Samba 3.5 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Samba 3.5	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Samba 4.3 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Samba 4.3	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Unitronics Samba 7 Firmware	Before 12.38

Running on/with	Platform Versions
Unitronics Samba 7	All versions

Related CWEs

CWE-1188

Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

CWE-798

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (9)

https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf

Source: 9119a7d8-5eab-497f-8521-727c672e3725

Vendor Advisory

https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf

Source: 9119a7d8-5eab-497f-8521-727c672e3725

Release Notes

https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems

Source: 9119a7d8-5eab-497f-8521-727c672e3725

Third Party AdvisoryUS Government Resource

https://www.unitronicsplc.com/cyber_security_vision-samba/

Source: 9119a7d8-5eab-497f-8521-727c672e3725

Product

https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://www.unitronicsplc.com/cyber_security_vision-samba/

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6448

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.