Article Details

Two CVSS 10.0 Bugs in Red Lion RTUs Could Hand Hackers Full Industrial Control. Cybersecurity researchers have disclosed two critical security flaws impacting Red Lion Sixnet remote terminal unit (RTU) products that, if successfully exploited, could result in code execution with the highest privileges. The shortcomings, tracked as CVE-2023-40151 and CVE-2023-42770, are both rated 10.0 on the CVSS scoring system. "The vulnerabilities affect Red Lion SixTRAK and VersaTRAK RTUs, and allow an unauthenticated attacker to execute commands with root privileges," Claroty Team 82 researchers said in a report published Tuesday. Red Lion's Sixnet RTUs provide advanced automation, control, and data acquisition capabilities in industrial automation and control systems, primarily across energy, water, and wastewater treatment, transportation, utilities, and manufacturing sectors. These industrial devices are configured using a Windows utility called Sixnet IO Tool Kit, with a proprietary Sixnet "Universal" protocol used to interface and enable communication between the kit and the RTUs. There also exists a user-permission system atop this mechanism to support file management, set/get station information, obtain Linux kernel and boot version, among others, over the UDP protocol. The two vulnerabilities identified by Claroty are listed below - As a result, an attacker could chain both flaws to sidestep authentication protections to run commands and achieve remote code execution. "Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A), any Sixnet UDR message received over TCP/IP, the RTU will accept the message with no authentication challenge," Red Lion said in an advisory released back in June 2025. "When user authentication is not enabled, the shell can execute commands with the highest privileges." Users are advised to apply the patches for the two vulnerabilities as soon as possible. It's also recommended to enable user authentication in the Red Lion RTU and block access over TCP to the affected RTUs. According to an alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in November 2023, the flaws impact the following products - "Red Lion's RTUs are prominent in many industrial automation settings, and an attacker with access to the devices and the ability to run commands at root presents significant possibilities for process disruption or damage," Claroty noted.