Red Lion Sixnet RTUs Exposed: Critical Vulnerabilities Open the Door to Full System Takeover

The Invisible Breach: A Wake-Up Call for Industrial Cybersecurity

In an era where industrial automation defines the backbone of modern infrastructure, a silent storm is brewing beneath the surface. Cybersecurity researchers have uncovered two critical vulnerabilities in Red Lion Sixnet remote terminal units (RTUs)—devices deeply embedded in industries such as energy, water, transportation, and manufacturing. These vulnerabilities, both rated 10.0 on the CVSS scale, represent the highest level of severity possible—meaning they can potentially give attackers complete control over the affected systems.

Red Lion’s SixTRAK and VersaTRAK RTUs are crucial components in industrial control systems (ICS). They act as digital intermediaries that connect, monitor, and automate processes across facilities that handle electricity distribution, water purification, and manufacturing assembly lines. When such systems are compromised, the risks go far beyond data theft—they extend into operational paralysis and physical damage to critical infrastructure.

The flaws—CVE-2023-40151 and CVE-2023-42770—were discovered by Claroty’s Team 82, a group specializing in industrial cybersecurity. Their findings reveal how attackers could exploit Red Lion’s proprietary communication protocol to execute malicious code remotely, bypassing any authentication barriers. Essentially, this means a hacker could take control of these devices with root privileges, gaining the same level of power as the system administrator.

One of the vulnerabilities, CVE-2023-42770, stems from how the Sixnet RTU software listens to the same port (1594) across both UDP and TCP connections. While UDP connections require authentication, TCP does not—allowing attackers to send unauthorized commands through TCP without facing any security challenge. The second flaw, CVE-2023-40151, is even more dangerous, enabling remote code execution through the Sixnet Universal Driver (UDR), which supports direct Linux shell commands.

When combined, these two vulnerabilities form a perfect exploitation chain: attackers bypass authentication, inject malicious commands, and seize total control of the RTU. This isn’t just a theoretical risk. In industrial systems, such control could mean disrupting water treatment operations, halting energy distribution, or manipulating manufacturing processes in real time.

Red Lion acknowledged the issue in an advisory released in June 2025, urging users to install security patches immediately and enable user authentication. The company emphasized that systems running without authentication are especially vulnerable, as the RTU shell can execute commands with the highest privileges even when user controls are disabled.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert in late 2023, confirming that several SixTRAK and VersaTRAK models—including the ST-IPm-8460 and VT-IPm2m-113-D—are affected. These RTUs are deployed worldwide, making the exposure a global concern for critical industries.

Claroty warns that the potential consequences of these flaws are severe. If exploited, attackers could manipulate industrial operations, alter system data, or halt production lines—all remotely, without needing physical access to the network. The very systems designed to ensure efficiency and safety could be turned against their operators.

The message from the cybersecurity community is clear: patch now, protect always. The cost of inaction could be catastrophic—not just financially, but operationally and even environmentally, depending on where these systems are deployed.

What Undercode Say:

The discovery of these vulnerabilities highlights a recurring—and deeply concerning—pattern in industrial cybersecurity: legacy protocols and insufficient authentication layers continue to haunt critical systems. The Sixnet “Universal” protocol was designed in an era that prioritized convenience and interoperability, not modern security standards. This architectural weakness now stands as a doorway for exploitation.

The problem is not unique to Red Lion. Many industrial control systems still rely on outdated communication models that were never intended to operate in today’s hyperconnected environments. The shift from isolated networks to IP-based communication has exposed these systems to a new world of threats. What once required physical access can now be executed remotely from across the globe.

The significance of the Red Lion flaws lies in their simplicity and scope. Exploiting them doesn’t require advanced hacking tools or zero-day sophistication—just a deep understanding of industrial protocols and network behavior. This makes the attack surface alarmingly accessible to both state-sponsored adversaries and cybercriminal groups interested in disruption or ransom.

From an operational perspective, these vulnerabilities raise questions about supply chain security and vendor accountability. Industrial operators often rely on vendors to deliver secure firmware and timely patches, yet patch cycles in operational technology (OT) environments can be notoriously slow. Unlike IT systems, updating a factory control unit isn’t as simple as rebooting a server—it requires careful testing to avoid downtime or unexpected consequences in live production environments.

Moreover, the dual-protocol flaw—where TCP accepts unauthenticated commands—reflects a dangerous oversight in software design. It underscores the importance of secure-by-design principles, where authentication should never depend on protocol behavior. The fact that UDP required verification while TCP did not reveals how small inconsistencies can have catastrophic effects when exploited.

Red Lion’s swift acknowledgment and patch release are commendable, but the broader industry lesson remains clear: security must evolve at the same pace as connectivity. Organizations operating RTUs or similar devices must adopt a layered defense strategy—network segmentation, strict access control, and continuous monitoring for abnormal traffic patterns.

The industrial world can no longer treat cybersecurity as an afterthought. Each RTU, each programmable logic controller (PLC), and each connected sensor is a potential entry point for disruption. And as AI-driven automation expands, the stakes grow exponentially higher.

Ultimately, these incidents remind us that digital transformation, while powerful, comes with invisible strings. Every new connection is both a path to progress and a potential breach.

Fact Checker Results:

✅ CVE-2023-40151 and CVE-2023-42770 are both verified vulnerabilities rated 10.0 (critical).
✅ Affected devices include Red Lion SixTRAK and VersaTRAK RTUs confirmed by both Claroty and CISA.
❌ No evidence yet of active exploitation in the wild as of October 2025.

Prediction 🔮

Expect to see increased targeting of industrial IoT and RTU devices over the next year, as attackers realize how easily outdated communication protocols can be weaponized. Cybersecurity in industrial settings will likely shift toward zero-trust architectures, AI-based anomaly detection, and vendor accountability frameworks. The Red Lion case may very well become a benchmark example for future OT cybersecurity reforms worldwide.