Cybersecurity researchers have disclosed two crucial security flaws impacting Pink Lion Sixnet distant terminal unit (RTU) merchandise that, if efficiently exploited, might end in code execution with the best privileges.
The shortcomings, tracked as CVE-2023-40151 and CVE-2023-42770, are each rated 10.0 on the CVSS scoring system.
“The vulnerabilities have an effect on Pink Lion SixTRAK and VersaTRAK RTUs, and permit an unauthenticated attacker to execute instructions with root privileges,” Claroty Workforce 82 researchers mentioned in a report printed Tuesday.
Pink Lion’s Sixnet RTUs present superior automation, management, and knowledge acquisition capabilities in industrial automation and management programs, primarily throughout power, water, and wastewater remedy, transportation, utilities, and manufacturing sectors.
These industrial gadgets are configured utilizing a Home windows utility known as Sixnet IO Device Equipment, with a proprietary Sixnet “Common” protocol used to interface and allow communication between the equipment and the RTUs.
There additionally exists a user-permission system atop this mechanism to assist file administration, set/get station data, get hold of Linux kernel and boot model, amongst others, over the UDP protocol.
The 2 vulnerabilities recognized by Claroty are listed under –
- CVE-2023-42770 – An authentication bypass that arises because of the Sixnet RTU software program listening to the identical port (quantity 1594) in UDP and TCP that solely prompts for an authentication problem over UDP, whereas accepting the incoming message over TCP with out prompting for any authentication
- CVE-2023-40151 – A distant code execution vulnerability that leverages Sixnet Common Driver’s (UDR) built-in assist for Linux shell command execution to run arbitrary code with root privileges
Because of this, an attacker might chain each flaws to sidestep authentication protections to run instructions and obtain distant code execution.
“Pink Lion SixTRAK and VersaTRAK Collection RTUs with authenticated customers enabled (UDR-A), any Sixnet UDR message obtained over TCP/IP, the RTU will settle for the message with no authentication problem,” Pink Lion mentioned in an advisory launched again in June 2025. “When person authentication just isn’t enabled, the shell can execute instructions with the best privileges.”
Customers are suggested to use the patches for the 2 vulnerabilities as quickly as potential. It is also really useful to allow person authentication within the Pink Lion RTU and block entry over TCP to the affected RTUs.
Based on an alert issued by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) in November 2023, the issues affect the next merchandise –
- ST-IPm-8460: Firmware 6.0.202 and later
- ST-IPm-6350: Firmware model 4.9.114 and later
- VT-mIPm-135-D: Firmware model 4.9.114 and later
- VT-mIPm-245-D: Firmware model 4.9.114 and later
- VT-IPm2m-213-D: Firmware model 4.9.114 and later
- VT-IPm2m-113-D: Firmware model 4.9.114 and later
“Pink Lion’s RTUs are distinguished in lots of industrial automation settings, and an attacker with entry to the gadgets and the power to run instructions at root presents important prospects for course of disruption or injury,” Claroty famous.
