CVE-2023-6448

CRITICAL KEV

Unitronics VisiLogic <9.9.00 - Info Disclosure

Title source: llm

Description

Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.

References (5)

[Vendor Advisory] https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf

[Release Notes] https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems

[Product] https://www.unitronicsplc.com/cyber_security_vision-samba/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6448

Scores

CVSS v3 9.8

EPSS 0.1329

EPSS Percentile 94.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2023-12-11

VulnCheck KEV 2023-11-28

InTheWild.io 2023-12-11

ENISA EUVD EUVD-2023-58685

CWE

CWE-1188 CWE-798

Status published

Products (17)

unitronics/samba_3.5_firmware < 12.38

unitronics/samba_4.3_firmware < 12.38

unitronics/samba_7_firmware < 12.38

unitronics/visilogic < 9.9.00

unitronics/vision1040_firmware < 12.38

unitronics/vision120_firmware < 12.38

unitronics/vision1210_firmware < 12.38

unitronics/vision130_firmware < 12.38

unitronics/vision230_firmware < 12.38

unitronics/vision280_firmware < 12.38

... and 7 more

Published Dec 05, 2023

KEV Added Dec 11, 2023

Tracked Since Feb 18, 2026