Two CVSS 10.0 Bugs in Red Lion RTUs Could Hand Hackers Full Industrial Control

Steven

Two CVSS 10.0 Bugs in Red Lion RTUs Could Hand Hackers Full Industrial Control

Summary

Claroty Team 82 disclosed two critical vulnerabilities in Red Lion Sixnet RTUs — CVE-2023-42770 (authentication bypass) and CVE-2023-40151 (remote code execution) — both scored CVSS 10.0. The flaws affect SixTRAK and VersaTRAK RTUs and can allow an attacker to bypass authentication on TCP by exploiting the device’s UDP/TCP handling on port 1594, then use the Sixnet Universal Driver’s shell execution capability to run arbitrary commands as root. Red Lion and CISA previously published advisories and affected firmware lists.

Operators are advised to apply vendor patches, enable user authentication, and block TCP access to the affected RTUs immediately.

Key Points

  • CVE-2023-42770: authentication bypass due to differing UDP/TCP handling on port 1594, allowing unauthenticated TCP messages.
  • CVE-2023-40151: remote code execution via the Sixnet Universal Driver (UDR) that can execute shell commands with root privileges.
  • An attacker can chain the two flaws to achieve pre-auth root RCE on field RTUs.
  • Affected devices include SixTRAK and VersaTRAK RTUs used across energy, water, transportation, utilities and manufacturing.
  • Mitigations: apply patches, enable user authentication (UDR-A), and block TCP access to port 1594; verify firmware against CISA advisories.

Context and relevance

Root-level RCE on remote terminal units is high impact for industrial control systems — it can let attackers disrupt processes, falsify telemetry, or cause safety incidents. The simplicity of the attack chain (auth bypass + built-in shell access) raises the risk for any organisation that exposes management ports or runs legacy firmware. This continues the trend of ICS devices being a high-value target and underscores the need for patching, network segmentation and strict access controls.

Why should I read this?

Plain and simple — if you look after OT or ICS, this matters now. Two CVSS 10.0 bugs on field RTUs = immediate risk. Patches exist but many sites run old firmware and leave management ports open. Read this so you can check your kit, enable authentication, block TCP 1594 and patch without delay. We’ve done the legwork so you don’t have to.

Source

Source: https://thehackernews.com/2025/10/two-cvss-100-bugs-in-red-lion-rtus.html