Cybersecurity researchers disclosed two critical vulnerabilities in Red Lion Sixnet remote terminal units (RTUs) that could allow unauthenticated attackers to execute commands with root privileges, Claroty Team 82 researchers said in a report. The flaws are tracked as CVE-2023-40151 and CVE-2023-42770 and are rated 10.0 on the CVSS scale.
Red Lion Sixnet RTUs provide automation, control and data acquisition for sectors such as energy, water and wastewater treatment, transportation, utilities and manufacturing. The devices are configured using a Windows utility called Sixnet IO Tool Kit and communicate with the RTUs over a proprietary protocol, the Sixnet “Universal” protocol, according to the report.
The researchers described two main weaknesses. CVE-2023-42770 is an authentication bypass that stems from the RTU software listening on the same port (1594) for both UDP and TCP, where the authentication challenge is only presented over UDP while messages received over TCP are accepted without challenge. CVE-2023-40151 is a remote code execution issue that leverages the Sixnet Universal Driver’s support for executing Linux shell commands, allowing arbitrary code to run with root privileges.
Claroty said the two flaws can be chained to bypass authentication and achieve remote code execution. Red Lion acknowledged the issue in an advisory and noted that when user authentication is not enabled the shell can execute commands with the highest privileges, the company said in June 2025.
A November 2023 notice from the U.S. Cybersecurity and Infrastructure Security Agency lists affected products and firmware versions; the agency alert identifies models and firmware such as ST-IPm-8460 (firmware 6.0.202 and later) and several ST/VT models (firmware 4.9.114 and later) as impacted.
The article advised users to apply available patches for the two vulnerabilities as soon as possible. It also recommended enabling user authentication on affected Red Lion RTUs and blocking TCP access to the devices to reduce exposure.