CriticalCISA KEVExploited in the wildPublic exploit

Insecure Default Password in Unitronics Vision PLC and HMI

IdentifiersCVE-2023-6448CWE-1392

CVE-2023-6448 affects Unitronics VisiLogic before version 9.9.00, as used in Unitronics Vision and Samba PLCs and HMIs. The vulnerability is the use of a default administrative password on the device. Because the administrative credential is default and known, an unauthenticated attacker who can reach the PLC or HMI over the network can authenticate with administrative privileges and take control of the system. Public reporting and government advisories tie this issue to active exploitation against internet-exposed Unitronics devices in critical infrastructure environments, including the water sector.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows full administrative control of the vulnerable PLC or HMI. In operational technology environments, this can enable unauthorized modification of device configuration and logic, manipulation of HMI functions, disruption of industrial processes, and loss of availability of dependent services. Reported incidents linked to exploitation of this flaw include operational disruption in water-sector environments.

Mitigation

If you can’t patch tonight, do this now.

If immediate remediation is not possible, remove affected PLCs/HMIs from direct internet exposure, restrict network access to trusted management hosts and segments, and disable unnecessary remote access paths. Enforce network segmentation between OT and IT networks, monitor for unauthorized administrative access, and review device configurations for signs of compromise or tampering. Because exploitation requires network reachability, limiting access to the management interface materially reduces exposure.

Remediation

Patch, then assume compromise.

Upgrade Unitronics VisiLogic to version 9.9.00 or later, as referenced in the provided content. Replace the default administrative password with a strong unique credential on all affected Vision and Samba PLC/HMI deployments. Identify exposed Unitronics devices, especially internet-reachable systems, and apply vendor-recommended updates and hardening guidance across all affected assets.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

UnitronicsSamba 3.5 Firmwareoperating_system

UnitronicsSamba 4.3 Firmwareoperating_system

UnitronicsSamba 7 Firmwareoperating_system

UnitronicsVisilogicapplication

UnitronicsVision1040 Firmwareoperating_system

UnitronicsVision120 Firmwareoperating_system

UnitronicsVision1210 Firmwareoperating_system

UnitronicsVision130 Firmwareoperating_system

UnitronicsVision230 Firmwareoperating_system

UnitronicsVision280 Firmwareoperating_system

UnitronicsVision290 Firmwareoperating_system

UnitronicsVision350 Firmwareoperating_system

UnitronicsVision430 Firmwareoperating_system

UnitronicsVision530 Firmwareoperating_system

UnitronicsVision560 Firmwareoperating_system

UnitronicsVision570 Firmwareoperating_system

UnitronicsVision700 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

the record mediaNews

Dec 11, 2023

Two-day water outage in remote Irish region caused by pro-Iran hackers | The Record from Recorded Future News

An authentication weakness in Unitronics Vision Series PLCs and HMIs caused by default administrative passwords, allowing an unauthenticated attacker with network access to take administrative control of the system.

ic3 alertsNews

Feb 8, 2026

Unitronics VisiLogic/Vision PLC/HMI insecure default administrative password (hard-coded/default credentials).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-6448

NVD

nvd.nist.gov/vuln/detail/CVE-2023-6448

MITRE CWE · CWE-1392

cwe.mitre.org

Vendor Advisory

downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf

Third Party Advisory

cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems

Release Notes

downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6448

Product

unitronicsplc.com/cyber_security_vision-samba