CVE-2023-6448 - Unitronics Vision PLC and HMI Insecure Default Password Vulnerability

Unitronics | Vision PLC and HMI

• Date Added:
• 2023-12-11

• Due Date:
• 2023-12-18

Vulnerability Name

Unitronics Vision PLC and HMI Insecure Default Password Vulnerability

Description

Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Additional Notes

Note that while it is possible to change the default password, implementors are encouraged to remove affected controllers from public networks and update the affected firmware: https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf; https://nvd.nist.gov/vuln/detail/CVE-2023-6448

Top Security News

Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411)

Microsoft fixes exploited zero-day (CVE-2024-49138)

Malicious ML Models on Hugging Face Leverage Broken Pickle Format to Evade Detection

Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers

Abandoned AWS Cloud Storage: A Major Cyberattack Vector

Windows Server 2025 released—here are the new features

Garmin GPS watches crashing, stuck in triangle 'reboot loop'

Windows 11 KB5050094 update fixes bugs causing audio issues

Top Alert List

Content Security Policy (CSP) Header Not Set

CSP

MediumMissing Anti-clickjacking Header

MediumAbsence of Anti-CSRF Tokens

InformationalInformation Disclosure - Suspicious Comments

MediumContent Security Policy (CSP) Header Not Set

InformationalModern Web Application

LowCross-Domain JavaScript Source File Inclusion

InformationalRe-examine Cache-control Directives

LowX-Content-Type-Options Header Missing

Latest CVE List

CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability

CVE-2025-0411 7-Zip Mark of the Web Bypass Vulnerability

CVE-2022-23748 Dante Discovery Process Control Vulnerability

CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability

CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability

CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability

CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability

CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability

CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability

CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability

Common CWEs

MediumCWE-754 Improper Check for Unusual or Exceptional Conditions

CWE-168 Improper Handling of Inconsistent Special Elements

HighCWE-61 UNIX Symbolic Link (Symlink) Following

CWE-627 Dynamic Variable Evaluation

CWE-1341 Multiple Releases of Same Resource or Handle

LowCWE-783 Operator Precedence Logic Error

CWE-1261 Improper Handling of Single Event Upsets

CWE-1262 Improper Access Control for Register Interface

HighCWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax

CWE-1106 Insufficient Use of Symbolic Constants