Oct 15, 2025Ravie LakshmananVulnerability / Important Infrastructure
Cybersecurity researchers have disclosed two vital safety flaws impacting Crimson Lion Sixnet distant terminal unit (RTU) merchandise that, if efficiently exploited, might end in code execution with the very best privileges.
The shortcomings, tracked as CVE-2023-40151 and CVE-2023-42770, are each rated 10.0 on the CVSS scoring system.
“The vulnerabilities have an effect on Crimson Lion SixTRAK and VersaTRAK RTUs, and permit an unauthenticated attacker to execute instructions with root privileges,” Claroty Staff 82 researchers stated in a report printed Tuesday.
Crimson Lion’s Sixnet RTUs present superior automation, management, and knowledge acquisition capabilities in industrial automation and management methods, primarily throughout power, water, and wastewater remedy, transportation, utilities, and manufacturing sectors.
These industrial units are configured utilizing a Home windows utility known as Sixnet IO Software Package, with a proprietary Sixnet “Common” protocol used to interface and allow communication between the package and the RTUs.
There additionally exists a user-permission system atop this mechanism to help file administration, set/get station info, acquire Linux kernel and boot model, amongst others, over the UDP protocol.
The 2 vulnerabilities recognized by Claroty are listed beneath –
CVE-2023-42770 – An authentication bypass that arises because of the Sixnet RTU software program listening to the identical port (quantity 1594) in UDP and TCP that solely prompts for an authentication problem over UDP, whereas accepting the incoming message over TCP with out prompting for any authentication
CVE-2023-40151 – A distant code execution vulnerability that leverages Sixnet Common Driver’s (UDR) built-in help for Linux shell command execution to run arbitrary code with root privileges
Consequently, an attacker might chain each flaws to sidestep authentication protections to run instructions and obtain distant code execution.
“Crimson Lion SixTRAK and VersaTRAK Sequence RTUs with authenticated customers enabled (UDR-A), any Sixnet UDR message acquired over TCP/IP, the RTU will settle for the message with no authentication problem,” Crimson Lion stated in an advisory launched again in June 2025. “When consumer authentication just isn’t enabled, the shell can execute instructions with the very best privileges.”
Customers are suggested to use the patches for the 2 vulnerabilities as quickly as attainable. It is also really helpful to allow consumer authentication within the Crimson Lion RTU and block entry over TCP to the affected RTUs.
In keeping with an alert issued by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) in November 2023, the issues impression the next merchandise –
ST-IPm-8460: Firmware 6.0.202 and later
ST-IPm-6350: Firmware model 4.9.114 and later
VT-mIPm-135-D: Firmware model 4.9.114 and later
VT-mIPm-245-D: Firmware model 4.9.114 and later
VT-IPm2m-213-D: Firmware model 4.9.114 and later
VT-IPm2m-113-D: Firmware model 4.9.114 and later
“Crimson Lion’s RTUs are distinguished in lots of industrial automation settings, and an attacker with entry to the units and the power to run instructions at root presents vital prospects for course of disruption or injury,” Claroty famous.
