Cyber Resilience

CVE-2023-6448

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 05 December 2023

Published
05 December 2023
Modified
26 February 2026
KEV Added
11 December 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1329 94.3th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6448 is a critical-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Unitronics Vision1210 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-7 (Boundary Protection).

Deeper analysis

Unitronics VisiLogic versions prior to 9.9.00, which are used to program Vision and Samba PLCs and HMIs, contain a hardcoded default administrative password. The flaw is tracked as CVE-2023-6448 with a CVSS score of 9.8 and is associated with CWE-1188 and CWE-798. It allows unauthenticated network access to the devices without requiring any user interaction.

An attacker with network reachability can authenticate as an administrator and obtain full control over the PLC or HMI, enabling arbitrary configuration changes, logic modification, or operational disruption. No prior authentication or user interaction is needed, making the exposure remotely exploitable over the network.

Vendor guidance and the associated CISA alert recommend upgrading VisiLogic to version 9.9.00 or later, changing any default credentials, and restricting network exposure of the affected devices. Unitronics has also published updated version-change documentation and a dedicated cybersecurity advisory outlining these steps.

CISA has specifically highlighted active exploitation of Unitronics PLCs in water and wastewater systems, underscoring the risk to industrial control environments. The CVE maintains an EPSS score of 0.13 with a recorded peak of 0.15.

EU & UK References

Vulnerability details

Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.

CWE(s)
KEV Date Added
11 December 2023

Related Threats

Threat-Actor AttributionAI

CyberAv3ngers
CISA attributes exploitation of Unitronics PLC default-password flaws (incl. CVE-2023-6448) in US water/wastewater systems to this Iranian IRGC-linked group.

Affected Assets

unitronics
vision1210 firmware
≤ 12.38
unitronics
vision1040 firmware
≤ 12.38
unitronics
vision700 firmware
≤ 12.38
unitronics
vision570 firmware
≤ 12.38
unitronics
vision560 firmware
≤ 12.38
unitronics
vision430 firmware
≤ 12.38
unitronics
vision350 firmware
≤ 12.38
unitronics
vision130 firmware
≤ 12.38
unitronics
vision230 firmware
≤ 12.38
unitronics
vision280 firmware
≤ 12.38
+7 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires changing default authenticators and prohibits hardcoded passwords, directly blocking the unauthenticated administrative access enabled by CVE-2023-6448.

prevent

Enforces boundary protection and network-access restrictions that prevent an attacker from reaching the PLC/HMI over the network to exploit the default credentials.

prevent

Enforces access-control decisions so that even if default credentials are known, only explicitly authorized subjects may perform administrative actions on the device.

References