VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 15, 2023· Updated Jan 16, 2025

CVE-2023-22806

CVE-2023-22806

Description

LS ELECTRIC XBC-DN32U with OS version 01.80 transmits user credentials and other sensitive data in cleartext over its XGT protocol, enabling remote credential theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

LS ELECTRIC XBC-DN32U with OS version 01.80 transmits user credentials and other sensitive data in cleartext over its XGT protocol, enabling remote credential theft.

Vulnerability

The LS ELECTRIC XBC-DN32U PLC module running operating system version 01.80 transmits sensitive information, including user credentials, in cleartext when communicating over its XGT protocol [1]. This corresponds to CWE-319: Cleartext Transmission of Sensitive Information.

Exploitation

An attacker with network access to the PLC can passively capture XGT protocol traffic to obtain sensitive information such as login credentials. No authentication or user interaction is required to eavesdrop on the unencrypted communication.

Impact

Successful exploitation allows an attacker to recover user credentials, which can be used to gain unauthorized access to the PLC. This may lead to control system compromise, including modification of PLC logic, denial of service, or further network intrusion.

Mitigation

As of the advisory date [1], LS ELECTRIC has not released a firmware update to address this vulnerability. Network administrators should isolate the affected devices using firewalls and VPNs, restrict network access to authorized hosts, and monitor for suspicious traffic. Organizations should consult the CISA advisory [1] for recommended mitigations.

References
  1. LS ELECTRIC XBC-DN32U | CISA

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Electricmonk/Xbc Dn32ullm-fuzzy2 versions
    =01.80+ 1 more
    • (no CPE)range: =01.80
    • (no CPE)range: Operating System Version 01.80

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.