Cybersecurity researchers have uncovered two critical security flaws affecting the Red Lion Sixnet remote terminal unit (RTU) product. Successful exploitation could lead to code execution with highest privileges.
This flaw is tracked as CVE-2023-40151 and CVE-2023-42770, both rated 10.0 in the CVSS scoring system.
“This vulnerability affects Red Lion SixTRAK and VersaTRAK RTU and allows an unauthenticated attacker to execute commands with root privileges,” Claroty Team 82 researchers said in a report released Tuesday.
Red Lion’s Sixnet RTU provides advanced automation, control, and data collection capabilities in industrial automation and control systems primarily across the energy, water, wastewater treatment, transportation, utilities, and manufacturing sectors.
These industrial devices are configured using a Windows utility called the Sixnet IO Tool Kit, which uses the proprietary Sixnet “universal” protocol used to enable interfacing and communication between the kit and the RTU.
On top of this mechanism, there is also a user authorization system to support file management, setting/retrieving station information, retrieving Linux kernel and boot versions, etc. via the UDP protocol.
The two vulnerabilities identified by Claroty are listed below.
CVE-2023-42770 – Authentication bypass resulting from Sixnet RTU software listening on the same port (number 1594) for UDP and TCP. Requires only an authentication challenge over UDP and accepts incoming messages over TCP without prompting for authentication. CVE-2023-40151 – Remote code execution vulnerability (UDR) exploiting the Sixnet Universal Driver Built-in support for Linux shell command execution to execute arbitrary code with root privileges
As a result, an attacker could chain both flaws together to bypass authentication protections and execute commands to remotely execute code.
“On Red Lion SixTRAK and VersaTRAK series RTUs with authenticated user (UDR-A) enabled, any Sixnet UDR message received over TCP/IP, the RTU accepts the message without an authentication challenge. If user authentication is not enabled, the shell can execute commands with highest privileges,” Red Lion said in an advisory released in June 2025.
Users are encouraged to patch the two vulnerabilities as soon as possible. It is also recommended that you enable user authentication on the Red Lion RTU and block access to the affected RTU over TCP.
According to an alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in November 2023, this flaw affects the following products:
ST-IPm-8460: Firmware version 6.0.202 or later ST-IPm-6350: Firmware version 4.9.114 or later VT-mIPm-135-D: Firmware version 4.9.114 or later VT-mIPm-245-D: Firmware version 4.9.114 or later VT-IPm2m-213-D: Firmware version 4.9.114 or later VT-IPm2m-113-D: Firmware version 4.9.114 or later
“Red Lion’s RTU is prominent in many industrial automation environments, and if an attacker can gain access to the device and execute commands as root, the potential for process disruption or damage is very high,” said Claroty.
Source link
