OTPulse

Unitronics Vision and Samba Series (Update A)

Act NowCVSS 9.8ICS-CERT ICSA-23-348-15Dec 14, 2023
Unitronics
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Unitronics Vision and Samba series PLCs and HMIs contain a vulnerability that allows an unauthenticated attacker to gain administrative control using a default password. The vulnerability exists in VisiLogic software (versions before 9.9.00) and OS (versions before 12.38). Attackers can connect via PCOM protocol over TCP 20256 without authentication credentials and use the default administrative password "1111" to take full control of the device. This gives attackers the ability to modify process logic, alter control parameters, stop operations, or inject malware. The vulnerability is being actively exploited in the wild against water and wastewater systems.

What this means
What could happen
An unauthenticated attacker can gain administrative control of Vision and Samba series PLCs and HMIs, allowing them to alter process logic, change control setpoints, stop operations, or deploy ransomware on critical water/electric infrastructure devices.
Who's at risk
Water utilities, municipal electric utilities, and any facility using Unitronics Vision or Samba series PLCs and HMIs for process control. This includes SCADA systems for pumps, treatment processes, distribution networks, and power generation equipment where these controllers manage critical operational logic.
How it could be exploited
An attacker probes the network to identify Unitronics devices via TCP port 20256 (or other configured PCOM port), then connects without authentication and uses the default password "1111" or no password requirement to gain full administrative access to the device.
Prerequisites
  • Network reachability to TCP port 20256 (or alternative PCOM port configured on the device)
  • Default password 'Unitronics 1111' in use or no password set on PCOM-enabled sockets
  • PCOM (remote operations) enabled on the device
  • No firewall or network access control blocking external connections to the device
Remotely exploitableNo authentication required (default credentials)Low complexity attackActively exploited in the wild (KEV)High EPSS score (13.3%)Default credentials widely knownAffects safety and operational systemsCritical CVSS score (9.8)
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
VisiLogic: <9.9.00<9.9.009.9.00
OS: <12.38<12.3812.38
Remediation & Mitigation
0/11
Do now
0/5
HOTFIXUpdate VisiLogic to version 9.9.00 or later
HOTFIXUpdate OS to version 12.38 or later
WORKAROUNDChange the default password '1111' to a strong custom password on all PLCs and HMIs immediately
WORKAROUNDSet a strong password on all PCOM-enabled sockets
HARDENINGDisable PCOM remote operations or control them using SDW10 role-based access controls
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HARDENINGChange TCP port from default 20256 to a non-standard port if possible
HARDENINGImplement firewall rules or VPN gateway in front of PLC to restrict network access and require authentication
HARDENINGUse allowlist of authorized IP addresses for PLC access
HARDENINGBack up all PLC logic and configurations to enable rapid recovery from ransomware or unauthorized changes
Long-term hardening
0/2
HARDENINGImplement multifactor authentication for all remote access to the OT network
HARDENINGIf remote access is required, use VPN with encryption; ensure VPN itself is kept current with latest patches
View full CISA ICS-CERT advisory
API: /api/v1/advisories/3dee4576-3a0c-46e4-958d-a268809ef38c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.