CVE-2023-6448
CRITICAL KEVUnitronics VisiLogic <9.9.00 - Info Disclosure
Title source: llmExploitation Summary
CVE-2023-6448 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 11, 2023.
Description
Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.
References (5)
Core 5
Core References
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6448
Third Party Advisory, US Government Resource government-resource
https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems
Release Notes release-notes
https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf
Vendor Advisory vendor-advisory
https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf
Scores
CVSS v3
9.8
EPSS
0.1329
EPSS Percentile
94.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
yes
Technical Impact
total
Details
CISA KEV
2023-12-11
VulnCheck KEV
2023-11-28
InTheWild.io
2023-12-11
ENISA EUVD
EUVD-2023-58685
CWE
CWE-1188
CWE-798
Status
published
Products (17)
unitronics/samba_3.5_firmware
< 12.38
unitronics/samba_4.3_firmware
< 12.38
unitronics/samba_7_firmware
< 12.38
unitronics/visilogic
< 9.9.00
unitronics/vision1040_firmware
< 12.38
unitronics/vision120_firmware
< 12.38
unitronics/vision1210_firmware
< 12.38
unitronics/vision130_firmware
< 12.38
unitronics/vision230_firmware
< 12.38
unitronics/vision280_firmware
< 12.38
... and 7 more
Published
Dec 05, 2023
KEV Added
Dec 11, 2023
Tracked Since
Feb 18, 2026