1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
- Vendor: Unitronics
- Equipment: Vision Series
- Vulnerability: Initialization of a Resource with an Insecure Default
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to take administrative control of the affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Unitronics products are affected:
- VisiLogic: Versions prior to 9.9.00
3.2 Vulnerability Overview
Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system.
For more information, see the CISA Known Exploited Vulnerabilities Catalog (KEV).
- CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Israel
CISA became aware of active exploitation for this vulnerability.
Unitronics has patched this vulnerability in VisiLogic version 9.9.00 and recommends all users update to the latest version. Please see Unitronics’ update log for more information.
For users who cannot update to the latest version, CISA urges organizations to:
Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password “1111” is not in use.
Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
Disconnect the PLC from the open internet. If remote access is necessary, control network access to the PLC.
Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
Use an allowlist of IPs for access.
Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
Keep Unitronics and other PLC devices updated with the latest versions by the manufacturer.
Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment.
CISA and WWS Sector partners have developed numerous tools and resources that water utilities can use to increase their cybersecurity. Please visit:
CISA has also provided further guidance in the following CSA.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
- Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Known public exploitations specifically targeting this vulnerability have been reported to CISA at this time.
5. UPDATE HISTORY
- December 14, 2023: Initial Publication