Cyber security researchers have announced two serious flaws in the Red Lion Sixnet RTU remote control devices – a product line widely deployed in industrial automation systems. Both vulnerabilities, designated CVE-2023-40151 and CVC-22770, scored a maximum score of 10.0 on the CVSS scale, allowing the attacker to hijack the device with the highest privileges.

Anh-whitehat-vn.png

According to a report from the research group Claroty Team 82, the affected Red Lion devices SixTRAK and VersaTR AK RTU can be exploited without authentication. An attacker who only needs remote access can send commands and execute arbitrary code at the root level, thereby opening up the possibility of taking complete control of industrial processes. This is a particularly large level of risk for operating automated control systems (ICS/SCADA) in the energy, water supply and drainage, transportation, urban infrastructure, and manufacturing sectors.

Red Lion’s RTU devices are configured through the Sixnet IO Tool Kit software running on Windows, which uses a proprietary protocol called Sixnet Universal to communicate with the terminal. This protocol supports many features such as file management, retrieval of system information, or manipulation of the Linux kernel and bootloader via UDP. However, it was this mechanism that was the core weakness that led to Claroty’s two serious vulnerabilities.

CVE-2023-42770 is an authentication bypass error that originated with Sixnet RTU software listening on the same port 1594 for both UDP and TCP protocols. While connecting via UDP requires authentication, TCP allows the incoming packet to be accepted without any authentication mechanism. This makes it easy for the attacker to send a forgery request through the TCP and bypass the initial protection.

CVE-2023-40151, meanwhile, is a remote code execution vulnerability stemming from the availability of the Sixnet Universal Driver to execute Linux system commands. Combining these two vulnerabilities, the attacker can bypass the entire authentication mechanism, send commands directly to the device, and execute arbitrary code with root access. This means that they can take full control of the equipment as well as the associated operating procedures.

Red Lion’s June 2025 release recommendations confirm that SixTRAK and VersaTR AK devices that have user authentication enabled can still be affected if receiving UDR packets via TCP, due to the absence of a authentication check step. In case the authentication feature is disabled, the system will allow direct command execution with the highest privileges, creating serious risks for industrial systems that are connected to the network.

Product lines affected include:

  • ST-IPm-8460: Firmware version 6.0.202 or higher
  • ST-IPm-6350: Firmware version 4.9.114 or higher
  • VT-mIPm-135-D: Firmware version 4.9.114 or higher
  • VT-mIPm-245-D: Firmware version 4.9.114 or higher
  • VT-IPm2m-213-D: Firmware version 4.9.114 or higher
  • VT-IPm2m-113-D: Firmware version 4.9.114 or higher

Claroty emphasized that gaining root access on industrial RTUs such as Red Lion could allow attackers to cause serious disruption or even destroy automatic control. As ICS systems become increasingly widely connected and difficult to completely isolate, these vulnerabilities are particularly worrisome as they pave the way for offensive operations against critical infrastructure.

Users are advised to immediately update Red Lion – released patches, to enable user authentication, and to limit TCP access to affected RTUs. These measures do not eliminate the risk, but they are the minimum defense needed to prevent an attacker from gaining remote control in an industrial environment.

The Hacker News