Cybersecurity researchers have disclosed two severe vulnerabilities in Red Lion Sixnet remote terminal units, RTUs, that together can allow unauthenticated attackers to gain root level code execution on affected devices. The issues, tracked as CVE-2023-40151 and CVE-2023-42770, carry the maximum CVSS score, 10.0, highlighting the high risk to industrial control systems across energy, water, transportation, utilities, and manufacturing environments.
What the affected devices do, and how they are configured
Red Lion Sixnet RTUs, including SixTRAK and VersaTRAK series, are used for automation, process control, and data acquisition in industrial operations. Administrators configure these RTUs using a Windows utility called Sixnet IO Tool Kit, which communicates with the devices using a proprietary Sixnet Universal protocol. The RTUs expose a file and station management API over UDP and TCP, and they include a user permission system, which can provide operations such as file management, station information retrieval, and kernel or boot version queries. These services run over network ports, and the protocol includes facilities for executing shell commands under certain conditions.
The two vulnerabilities, explained
1, CVE-2023-42770, authentication bypass,
- Root cause, the RTU software listens on the same port, 1594, for both UDP and TCP, however the authentication challenge is issued only for messages received via UDP. When the RTU accepts messages over TCP, it does not prompt for authentication, making it possible for an attacker to send commands that are treated as authenticated, without providing valid credentials.
2, CVE-2023-40151, remote code execution via the Universal Driver, UDR,
- Root cause, the Sixnet Universal Driver includes built in support for executing Linux shell commands, which can be invoked by specially crafted messages. When invoked without proper authentication checks, the mechanism allows arbitrary commands to run with the RTU’s highest privileges, effectively root.
How the two flaws combine, and why that is dangerous
An attacker can chain the authentication bypass with the UDR command execution, in order to skip authentication and then run arbitrary shell commands as root. In short, CVE-2023-42770 removes the access control gate, CVE-2023-40151 provides the code execution mechanism, together enabling remote compromise without valid credentials. Claroty Team 82, which reported the issues, emphasized that this combination allows unauthenticated actors to execute commands with root privileges on affected SixTRAK and VersaTRAK RTUs.
Confirmations from Red Lion and CISA, and product impact
Red Lion acknowledged the issue in an advisory published in June 2025, noting that SixTRAK and VersaTRAK series are affected, and that when user authentication is not enabled, the RTU shell can execute commands with the highest privileges. Red Lion also noted that any Sixnet UDR message received over TCP/IP will be accepted with no authentication challenge if the device has authenticated users enabled in the UDR-A configuration but is listening on TCP for UDR messages.
The U.S. Cybersecurity and Infrastructure Security Agency, CISA, issued an alert in November 2023 listing specific affected models and firmware versions, including but not limited to, ST-IPm-8460 with firmware 6.0.202 and later, ST-IPm-6350 with firmware 4.9.114 and later, and several VT and VT-IPm2m variants using firmware 4.9.114 and later. Because Red Lion RTUs are widespread in industrial settings, a root compromise could allow attackers to disrupt processes, manipulate sensor or actuator data, or cause physical damage via process control manipulation.
Recommended mitigation steps, immediate and long term
- Apply vendor patches immediately, vendors issued updated firmware and software fixes, patching is the most reliable mitigation.
- Enable user authentication on affected RTUs, verify UDR-A or equivalent authentication mechanisms are properly configured and enforced.
- Block TCP access to the affected service port, for example block inbound TCP traffic to port 1594 at network firewalls or segment RTUs behind jump hosts and management VLANs, while allowing only trusted management hosts to use UDP if required by the environment.
- Harden network segmentation, place RTUs in isolated industrial networks, limit management access to known operator stations, and use strict ACLs.
- Monitor for suspicious activity, look for unexpected UDR messages, unusual shell command executions, and anomalous traffic to port 1594, log and alert on these events.
- Inventory and prioritize, identify all Red Lion Sixnet RTUs on the network, confirm firmware versions, and prioritize patching based on exposure and criticality.
Why this matters, operational risk summary
An attacker with the ability to run commands as root on an RTU can manipulate process logic, disable safety controls, corrupt or replay sensor data, and disrupt operations. Because RTUs interface directly with industrial assets, successful exploitation could lead to process downtime, safety incidents, environmental damage, and significant financial and reputational impact. The maximum CVSS score reflects both the ease of exploitation when the flaws are chained, and the potentially severe real world consequences.
