Cyber Resilience

CVE-2023-2003

CriticalRCE

Published: 13 July 2023

Published
13 July 2023
Modified
08 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0037 59.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2003 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability in Unitronics Vision1210 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 41.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to store base64-encoded malicious code in the device's data tables via the PCOM protocol, which can then be retrieved…

more

by a client and executed on the device.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

unitronics
vision1210 firmware
4.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-506

Restricting software to licensed versions and controlling P2P prevents introduction of software containing embedded malicious code from unauthorized sources.

addresses: CWE-506

The control prevents users from installing software that contains embedded malicious code.

addresses: CWE-506

Regular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for.

addresses: CWE-506

Reverting to a known state removes any malicious code embedded by an attacker.

addresses: CWE-506

The approval and review process for maintenance tools can prevent introduction or continued use of tools containing embedded malicious code.

addresses: CWE-506

Supply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators.

addresses: CWE-506

Background screening for development or deployment roles makes intentional insertion of malicious code by insiders materially harder to accomplish.

addresses: CWE-506

The capability explicitly searches for embedded malicious code and backdoors as indicators of compromise.

References