Critical vulnerabilities in widely deployed Red Lion Sixnet remote terminal units (RTUs) present serious risks for industrial control systems (ICS) across critical infrastructure sectors. Security researchers from Claroty Team 82 have uncovered two severe flaws—CVE-2023-40151 and CVE-2023-42770—both earning maximum CVSS severity scores of 10.0. These issues enable unauthenticated remote attackers to gain root-level command execution on affected devices, potentially allowing them to disrupt vital infrastructure processes.
Red Lion Sixnet RTUs are Exposed by Authentication Flaws and Shell Execution Risks
Red Lion’s Sixnet line of RTUs, including devices such as SixTRAK and VersaTRAK, is used across a range of sectors including energy, transportation, water, utilities, manufacturing, and waste treatment. These devices, configured via the Sixnet IO Tool Kit, communicate with systems using a proprietary Universal protocol. The vulnerabilities reported affect key models, including:
- ST-IPm-8460
- ST-IPm-6350
- VT-mIPm-135-D
- VT-mIPm-245-D
- VT-IPm2m-213-D
- VT-IPm2m-113-D
Claroty’s findings demonstrate how an attacker could chain the vulnerabilities to bypass authentication and execute commands as root, resulting in full compromise of the RTU’s underlying Linux-based system.
CVE-2023-42770 Allows Bypass via TCP/UDP Port Handling Discrepancy
The first vulnerability, CVE-2023-42770, exploits a design flaw in the RTU software’s handling of network communication. Specifically, the software listens on port 1594 for both UDP and TCP protocols. While the UDP implementation enforces authentication, the TCP counterpart does not, allowing unauthenticated commands through TCP.
CVE-2023-40151 Enables Unauthenticated Root Command Execution
The second vulnerability, CVE-2023-40151, stems from insecure shell command handling by the Sixnet Universal Driver. This driver, intended for flexible device interaction, also enables execution of Linux shell commands. When leveraged in conjunction with the authentication bypass, this bug allows attackers to remotely execute arbitrary shell commands with root privileges.
When exploited together, these flaws allow attackers not only to access the RTUs without authentication, but also to execute remote code with full system control—without user interaction. Claroty warns that threat actors exploiting these vulnerabilities could cause significant disruptions by shutting down or manipulating industrial processes.
Defense Measures are Available, but Require Prompt Action
Red Lion has released security patches addressing both vulnerabilities, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory outlining the scope and impact of these issues in November 2023.
Recommended mitigations include:
- Immediately applying Red Lion’s firmware updates for all affected SixTRAK and VersaTRAK devices.
- Enabling and enforcing user authentication protocols on all devices through the Sixnet IO Tool Kit.
- Blocking TCP port 1594 at the network layer to stop unauthenticated communication.
- Reviewing firewall rules and network segmentation strategies to isolate RTUs from the public internet where possible.
ICS Environments Face Elevated Risk from Network-Exploitable ICS Vulnerabilities
While CVSS scores often inform prioritization in vulnerability management, a pair of back-to-back 10.0-rated remote code execution (RCE) vulnerabilities—especially in devices controlling critical infrastructure—are a rare and significant threat. The flaws in Red Lion Sixnet RTUs underscore enduring security weaknesses in legacy or proprietary ICS communication protocols.
Claroty emphasized the wider danger:
“An attacker who obtains root access to these devices could cause extensive disruption or even physical damage to industrial environments.”
Given the widespread deployment of these RTUs in operational technology (OT) spaces, attackers gaining initial access to a vulnerable RTU could pivot further into SCADA (Supervisory Control and Data Acquisition) systems or central control networks.
Organizations Must Stay Vigilant as Supply Chain Devices Become High-Value Targets
The vulnerabilities also highlight a perennial security challenge in ICS and OT: embedded device software often lacks modern cryptographic enforcement or has non-standard networking behaviors. Moreover, many of these devices are deployed in hard-to-reach or unattended physical locations, making patching cycles irregular and delayed.
With no additional sources currently reporting further exploitation in the wild, or detailing active threat actor campaigns, the immediate threat is theoretical but severe. Industrial cybersecurity teams are urged to:
- Actively monitor vendor advisories and threat alerts from CISA and ICS-CERT.
- Use network intrusion detection systems (NIDS) capable of recognizing anomalous traffic on TCP/UDP port 1594.
- Catalog and test all ICS assets communicating via the Sixnet Universal protocol for exposure.
A Wake-up Call for Industrial Sector Cyber Defenses
The Red Lion Sixnet vulnerabilities—rooted in insecure network design and poor input validation—are a stark reminder that perimeter security is not enough in industrial environments. Remote command injection vulnerabilities with authentication bypass mechanisms present systemic risks.
With patches now available and detection guidance provided, the window for mitigation is clear, but may soon close. Industrial operators, utilities, and infrastructure protection teams should act swiftly to secure their RTU environments and prepare for deeper scrutiny of ICS cybersecurity postures.
