Cybersecurity researchers have disclosed two critical security flaws impacting Red Lion Sixnet remote terminal unit (RTU) products that, if successfully exploited, could result in code execution with the highest privileges.
The shortcomings, tracked as CVE-2023-40151 and CVE-2023-42770, are both rated 10.0 on the CVSS scoring system.
“The vulnerabilities affect Red Lion SixTRAK and VersaTRAK RTUs, and allow an unauthenticated attacker to execute commands with root privileges,” Claroty Team 82 researchers said in a report published Tuesday.
Red Lion’s Sixnet RTUs provide advanced automation, control, and data acquisition capabilities in industrial automation and control systems, primarily across energy, water, and wastewater treatment, transportation, utilities, and manufacturing sectors.
These industrial devices are configured using a Windows utility called Sixnet IO Tool Kit, with a proprietary Sixnet “Universal” protocol used to interface and enable communication between the kit and the RTUs.
There also exists a user-permission system atop this mechanism to support file management, set/get station information, obtain Linux kernel and boot version, among others, over the UDP protocol.
The two vulnerabilities identified by Claroty are listed below –
- CVE-2023-42770 – An authentication bypass that arises as a result of the Sixnet RTU software listening to the same port (number 1594) in UDP and TCP that only prompts for an authentication challenge over UDP, while accepting the incoming message over TCP without prompting for any authentication
- CVE-2023-40151 – A remote code execution vulnerability that leverages Sixnet Universal Driver’s (UDR) built-in support for Linux shell command execution to run arbitrary code with root privileges
As a result, an attacker could chain both flaws to sidestep authentication protections to run commands and achieve remote code execution.
“Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A), any Sixnet UDR message received over TCP/IP, the RTU will accept the message with no authentication challenge,” Red Lion said in an advisory released back in June 2025. “When user authentication is not enabled, the shell can execute commands with the highest privileges.”
Users are advised to apply the patches for the two vulnerabilities as soon as possible. It’s also recommended to enable user authentication in the Red Lion RTU and block access over TCP to the affected RTUs.
According to an alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in November 2023, the flaws impact the following products –
- ST-IPm-8460: Firmware 6.0.202 and later
- ST-IPm-6350: Firmware version 4.9.114 and later
- VT-mIPm-135-D: Firmware version 4.9.114 and later
- VT-mIPm-245-D: Firmware version 4.9.114 and later
- VT-IPm2m-213-D: Firmware version 4.9.114 and later
- VT-IPm2m-113-D: Firmware version 4.9.114 and later
“Red Lion’s RTUs are prominent in many industrial automation settings, and an attacker with access to the devices and the ability to run commands at root presents significant possibilities for process disruption or damage,” Claroty noted.
