Red Lion DA50N

Plan PatchCVSS 9.6ICS-CERT ICSA-22-104-03Apr 14, 2022

Red Lion

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Red Lion DA50N contains multiple vulnerabilities (CWE-345, CWE-521, CWE-1104) involving weak authentication, insecure credential storage, and related authentication bypass issues. The device allows installation of unsigned firmware images, weak default passwords (admin, rlcuser, techsup accounts), and optional services (SSH, telnet) that can be left enabled. Red Lion has marked the DA50N series as end-of-life and does not intend to release patches. Successful exploitation could result in data compromise, modification, and denial of service.

What this means

What could happen

An attacker with network access to a DA50N device could install malicious firmware, change operational settings, extract credentials, or shut down remote terminal services. This could disrupt SCADA monitoring and control functionality in water and utility automation systems.

Who's at risk

Water authorities and utilities using Red Lion DA50N remote terminal units (RTUs) or human-machine interfaces (HMIs) for SCADA monitoring and control. The DA50N is commonly deployed in telemetry and process automation roles where unauthorized access could disrupt operations.

How it could be exploited

An attacker could exploit weak default credentials (admin, rlcuser, techsup) to gain unauthorized access to the device. Alternatively, the attacker could place a malicious firmware image on an SD card or intercept downloads by exploiting weak TLS certificate validation, allowing unsigned firmware installation that gives full device control.

Prerequisites

Network access to the DA50N device
Knowledge of default account names (admin, rlcuser, techsup)
Physical access to SD card slot (for firmware insertion attack)
Ability to intercept or redirect firmware downloads over the network

No patch available (end-of-life product)Default credentialsWeak authenticationRemotely exploitableAffects operational visibility and control systems

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

DA50N: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/9

Do now

0/5

WORKAROUNDChange default passwords for admin, rlcuser, and techsup accounts to unique, strong passwords

WORKAROUNDDisable SSH service if not required for operations

WORKAROUNDDisable telnet service if not already disabled

HARDENINGRestrict physical access to the DA50N device to prevent unauthorized SD card firmware insertion

WORKAROUNDOnly download firmware images from the official Red Lion website and verify TLS certificate validity before download

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to Red Lion DA50A or DA70A series devices

HARDENINGImplement network segmentation to isolate DA50N devices from the business network and restrict internet access

HARDENINGDeploy firewalls to limit network access to the device to only authorized IP addresses and ports required for operations

HARDENINGStore firmware images and configuration files in a secure, access-controlled location if stored before deployment

CVEs (3)

CVE-2022-26516 CVE-2022-1039 CVE-2022-27179

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5affbe3e-52ce-4bd0-adbd-d6b31450edcd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.