Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.
The vulnerability results from the use of a hardcoded default administrator password in VisiLogic software (CWE-798, CWE-1188). Since this password is identical across all installations and changing it is not enforced, an attacker can log in to the device over the network without any authentication by providing the known default credentials. The access control mechanism is effectively inactive, which classifies the vulnerability as a complete Authentication Bypass.
Attackers gain full administrative control over the device — they can modify PLC control logic, change industrial process parameters, disable devices, or install malicious configurations, posing a serious threat to the continuity of industrial infrastructure (OT/ICS) operations.
VisiLogic software must be updated to version 9.9.00 or newer. Additionally, the default administrator password must be immediately changed to a strong and unique one. It is also recommended to restrict network access to Unitronics devices through OT network segmentation and use VPN for remote access. Detailed guidance is provided in the manufacturer's security guide and CISA alert.
Unitronics VisiLogic before version 9.9.00 used in PLC controllers and HMI panels from the Vision series (including Vision1210, Vision1040, Vision700) and Samba
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HUnitronics Samba 3.5
HWUnitronicswszystkie wersjeUnitronics Samba 3.5 Firmware
OSUnitronics< 12.38Unitronics Samba 4.3
HWUnitronicswszystkie wersjeUnitronics Samba 4.3 Firmware
OSUnitronics< 12.38Unitronics Samba 7
HWUnitronicswszystkie wersjeUnitronics Samba 7 Firmware
OSUnitronics< 12.38Unitronics Visilogic
APPUnitronics< 9.9.00Unitronics Vision1040
HWUnitronicswszystkie wersjeUnitronics Vision1040 Firmware
OSUnitronics< 12.38Unitronics Vision120
HWUnitronicswszystkie wersjeUnitronics Vision120 Firmware
OSUnitronics< 12.38Unitronics Vision1210
HWUnitronicswszystkie wersjeUnitronics Vision1210 Firmware
OSUnitronics< 12.38Unitronics Vision130
HWUnitronicswszystkie wersjeUnitronics Vision130 Firmware
OSUnitronics< 12.38Unitronics Vision230
HWUnitronicswszystkie wersjeUnitronics Vision230 Firmware
OSUnitronics< 12.38Unitronics Vision280
HWUnitronicswszystkie wersjeUnitronics Vision280 Firmware
OSUnitronics< 12.38Unitronics Vision290
HWUnitronicswszystkie wersjeUnitronics Vision290 Firmware
OSUnitronics< 12.38Unitronics Vision350
HWUnitronicswszystkie wersjeUnitronics Vision350 Firmware
OSUnitronics< 12.38Unitronics Vision430
HWUnitronicswszystkie wersjeUnitronics Vision430 Firmware
OSUnitronics< 12.38Unitronics Vision530
HWUnitronicswszystkie wersjeUnitronics Vision530 Firmware
OSUnitronics< 12.38Unitronics Vision560
HWUnitronicswszystkie wersjeUnitronics Vision560 Firmware
OSUnitronics< 12.38Unitronics Vision570
HWUnitronicswszystkie wersje
CISA KEV — detailsi
- Vendori
- Unitronics
- Producti
- Vision PLC and HMI
- Added to KEVi
- December 11, 2023
- Remediation deadline (US Federal)i
- December 18, 2023(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands.
Related vulnerabilities
Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which cou...
Unitronics Vision PLC – CWE-703: Improper Check or Handling of Exceptional Conditions may allow denial of serv...
Path Traversal w Unitronics Unilogic umożliwiający RCE
Pominięcie uwierzytelnienia w Unitronics Unilogic (Authentication Bypass)
Stack-based buffer overflow in Unitronics VisiLogic OPLC IDE before 9.8.30 allows remote attackers to execute ...