CVE-2023-6448

What is Unitronics Vision PLC/HMI?

Unitronics Vision Series PLCs (Programmable Logic Controllers) and HMIs (Human-Machine Interfaces) are combined control and display devices widely used in industrial control systems (ICS) for water treatment, HVAC, manufacturing, and other process automation applications. These devices run ladder logic programs that control physical processes — opening/closing valves, controlling pumps, adjusting chemical dosing — and provide a touchscreen interface for operators. Vision Series PLCs use Unitronics' PCOM protocol (TCP port 20256) for remote programming, monitoring, and control. Many installations have PLCs directly internet-accessible for remote monitoring, representing a critical attack surface for threat actors targeting operational technology (OT) infrastructure.

Overview

CVE-2023-6448 is a critical insecure default password vulnerability in Unitronics Vision Series PLCs and HMIs: the PCOM protocol interface ships with a default password of "1111" that, if left unchanged, allows unauthenticated remote command execution — including reading and writing PLC memory and modifying control logic. The vulnerability became internationally prominent when Iran's IRGC-affiliated hacker group Cyber Av3ngers exploited it on November 25, 2023 to compromise the Municipal Water Authority of Aliquippa, Pennsylvania, displaying anti-Israel messages on the HMI screen and forcing the utility to switch to manual operations. CISA issued a joint advisory with FBI, EPA, and NSA before the CVE was formally published.

Affected Versions

Technical Details

CWE-1188 (Insecure Default Initialization of Resource). The Unitronics PCOM protocol interface — used for remote engineering, programming, and monitoring of Vision Series PLCs via TCP port 20256 — is protected by a password that is set to "1111" at the factory and documented in Unitronics' manuals. Operators who do not change this password (a common practice in OT environments where devices are configured once and rarely revisited) leave the PCOM interface fully accessible to any attacker who can reach the device on TCP 20256.

Through PCOM, an attacker with the default password can:

• Read all PLC memory, including process variables, setpoints, and control parameters
• Write to PLC memory, modifying control logic behavior
• Download a complete memory dump
• Upload modified ladder logic programs to the PLC
• Trigger physical actions in the controlled process (pump operations, valve positions, chemical dosing adjustments)

At a water treatment facility, arbitrary PLC writes could be used to manipulate water treatment processes — a physical safety risk to the water supply.

Discovery

Exploitation was identified in the context of the Aliquippa water utility attack. Cyber Av3ngers — a threat actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command — compromised PLCs at the Aliquippa utility and displayed the message "You have been hacked, Down with Israel" on the HMI screen, declaring it a protest against Israel in the context of the October 2023 Gaza conflict. The utility's affected booster station was placed in manual control mode. No disruption to water treatment quality was reported, but the attack demonstrated the real-world accessibility of critical infrastructure PLCs.

Exploitation Context

Cyber Av3ngers conducted a wave of attacks against internet-exposed Unitronics PLCs in water utilities, energy facilities, and other critical infrastructure across the United States and Israel, exploiting the default password across multiple facilities simultaneously. CISA's joint advisory identified multiple water and wastewater system operators as targets. The ease of exploitation — publicly documented default password, internet-exposed PCOM port on Shodan — made this a low-sophistication, high-impact attack accessible to any actor willing to conduct Shodan reconnaissance.

The attack pattern exemplifies the risk of internet-accessible ICS/OT devices: critical infrastructure control systems that were never designed for internet exposure, running on default credentials, directly reachable by any global attacker.

Remediation

1. Change the PCOM password immediately from the default "1111" to a strong, unique password on all Unitronics Vision Series PLCs.
2. Remove PLCs from direct internet exposure — place them behind a VPN or network firewall that requires authentication before reaching the PCOM port (TCP 20256).
3. Update Unitronics firmware to the latest version per the security advisory.
4. Apply network segmentation: OT/ICS networks should be isolated from IT networks and the internet via industrial DMZ architecture.
5. If a PLC was accessible with the default password, treat it as potentially compromised — review PLC memory, ladder logic, and process logs for unauthorized modifications.
6. Implement OT-specific monitoring to detect unexpected PCOM connections or PLC configuration changes.
7. Register Unitronics devices with a secure remote access solution (VPN with MFA) rather than direct internet exposure if remote access is operationally required.