Unitronics Vision Legacy series (Update A)

Monitor7.5ICS-CERT ICSA-24-109-01Apr 18, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A default hardcoded password vulnerability in the Unitronics Vision Legacy series Remote HMI feature allows unauthenticated remote access to all affected models (Vision 120, 230, 280, 290, 530). The default Info Mode password is 1111. Successful exploitation allows an attacker with network access to the PLC to log in and take control of the device, including stopping operations, restarting the system, or performing a factory reset. No vendor patch is available for any affected version.

What this means

What could happen

An attacker with network access to the Remote HMI feature can log in using default credentials and take control of the PLC, including stopping operations, restarting the device, or resetting it to factory defaults. This could halt production or disrupt critical processes in manufacturing facilities.

Who's at risk

Unitronics Vision Series PLCs (models 120, 230, 280, 290, 530) used in manufacturing facilities. This affects any plant using these controllers for process control, machine sequencing, or any critical automated operation.

How it could be exploited

An attacker on the network connects to the PLC's Remote HMI service (TCP port 20256) and uses the default "Info Mode" password (1111) to authenticate. Once logged in, the attacker can execute commands to stop, restart, or factory reset the PLC, disrupting plant operations.

Prerequisites

Network access to TCP port 20256 (Remote HMI service)
Default Info Mode password unchanged (1111)
Remote HMI feature enabled on the PLC

remotely exploitableno authentication required (default credentials)low complexityno patch availableall product versions affected

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

Vision 120: vers:all/*All versionsNo fix (EOL)

Vision 230: vers:all/*All versionsNo fix (EOL)

Vision 280: vers:all/*All versionsNo fix (EOL)

Vision 290: vers:all/*All versionsNo fix (EOL)

Vision 530: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGImmediately change the default Info Mode password (1111) via SI 253 configuration

WORKAROUNDRestrict network access to TCP port 20256 using firewall rules to limit connections to authorized engineering workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement PLC multi-factor access using SB 314 to require additional authentication beyond password

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Vision 120: vers:all/*, Vision 230: vers:all/*, Vision 280: vers:all/*, Vision 290: vers:all/*, Vision 530: vers:all/*. Apply the following compensating controls:

HARDENINGDeploy a multi-factor VPN solution to protect remote access to the PLC service

HARDENINGIsolate PLC Ethernet networks from the business network and the internet using firewalls and network segmentation

CVEs (1)

CVE-2024-1480

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/593ad6d6-7ac6-4348-9651-05b59199d476