Unitronics Vision and Samba Series (Update A)

Act Now9.8ICS-CERT ICSA-23-348-15Dec 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Unitronics Vision and Samba series PLCs and HMIs contain a vulnerability that allows an unauthenticated attacker to gain administrative control using a default password. The vulnerability exists in VisiLogic software (versions before 9.9.00) and OS (versions before 12.38). Attackers can connect via PCOM protocol over TCP 20256 without authentication credentials and use the default administrative password "1111" to take full control of the device. This gives attackers the ability to modify process logic, alter control parameters, stop operations, or inject malware. The vulnerability is being actively exploited in the wild against water and wastewater systems.

What this means

What could happen

An unauthenticated attacker can gain administrative control of Vision and Samba series PLCs and HMIs, allowing them to alter process logic, change control setpoints, stop operations, or deploy ransomware on critical water/electric infrastructure devices.

Who's at risk

Water utilities, municipal electric utilities, and any facility using Unitronics Vision or Samba series PLCs and HMIs for process control. This includes SCADA systems for pumps, treatment processes, distribution networks, and power generation equipment where these controllers manage critical operational logic.

How it could be exploited

An attacker probes the network to identify Unitronics devices via TCP port 20256 (or other configured PCOM port), then connects without authentication and uses the default password "1111" or no password requirement to gain full administrative access to the device.

Prerequisites

Network reachability to TCP port 20256 (or alternative PCOM port configured on the device)
Default password 'Unitronics 1111' in use or no password set on PCOM-enabled sockets
PCOM (remote operations) enabled on the device
No firewall or network access control blocking external connections to the device

Remotely exploitableNo authentication required (default credentials)Low complexity attackActively exploited in the wild (KEV)High EPSS score (13.3%)Default credentials widely knownAffects safety and operational systemsCritical CVSS score (9.8)

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

VisiLogic: <9.9.00<9.9.009.9.00

OS: <12.38<12.3812.38

Remediation & Mitigation

0/11

Do now

0/5

HOTFIXUpdate VisiLogic to version 9.9.00 or later

HOTFIXUpdate OS to version 12.38 or later

WORKAROUNDChange the default password '1111' to a strong custom password on all PLCs and HMIs immediately

WORKAROUNDSet a strong password on all PCOM-enabled sockets

HARDENINGDisable PCOM remote operations or control them using SDW10 role-based access controls

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HARDENINGChange TCP port from default 20256 to a non-standard port if possible

HARDENINGImplement firewall rules or VPN gateway in front of PLC to restrict network access and require authentication

HARDENINGUse allowlist of authorized IP addresses for PLC access

HARDENINGBack up all PLC logic and configurations to enable rapid recovery from ransomware or unauthorized changes

Long-term hardening

0/2

HARDENINGImplement multifactor authentication for all remote access to the OT network

HARDENINGIf remote access is required, use VPN with encryption; ensure VPN itself is kept current with latest patches

CVEs (1)

CVE-2023-6448

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close