AutomationDirect Productivity Suite

View CSAF

1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: AutomationDirect Equipment: Productivity Suite Vulnerabilities: Relative Path Traversal, Weak Password Recovery Mechanism for Forgotten Password, Incorrect Permission Assignment for Critical Resource, Binding to an Unrestricted IP Address
2. RISK EVALUATION Successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary code, disclose information, gain full-control access to projects, or obtain read and write access to files.
3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following AutomationDirect Productivity PLCs are affected: Productivity Suite: V4.2.1.9 and prior Productivity 3000 P3-622 CPU: SW v4.4.1.19 and prior Productivity 3000 P3-550E CPU: SW v4.4.1.19 and prior Productivity 3000 P3-530 CPU: SW v4.4.1.19 and prior Productivity 2000 P2-622 CPU: SW v4.4.1.19 and prior Productivity 2000 P2-550 CPU: SW v4.4.1.19 and prior Productivity 1000 P1-550 CPU: SW v4.4.1.19 and prior Productivity 1000 P1-540 CPU: SW v4.4.1.19 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 Relative Path Traversal CWE-23 A relative path traversal (ZipSlip) vulnerability was discovered in Productivity Suite software version 4.2.1.8. The vulnerability allows an attacker who can tamper with a productivity project to execute arbitrary code on the machine where the project is opened. CVE-2025-62498 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-62498. A base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.2 Weak Password Recovery Mechanism for Forgotten Password CWE-640 A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question. CVE-2025-61977 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-61977. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.3 Incorrect Permission Assignment for Critical Resource CWE-732 An incorrect permission assignment for a critical resource vulnerability was discovered in Productivity Suite software version 4.2.1.8. The vulnerability allows an attacker with low-privileged credentials to change their role, gaining full control access to the project. CVE-2025-62688 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-62688. A base score of 6.9 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.4 Binding to an Unrestricted IP Address CWE-1327 A binding to an unrestricted IP address vulnerability was discovered in Productivity Suite software version 4.2.1.8. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and read, write, or delete arbitrary files and folders on the target machine. CVE-2025-61934 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-61934. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L). 3.2.5 Relative Path Traversal CWE-23 A relative path traversal vulnerability was discovered in Productivity Suite software version 4.2.1.8. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and read arbitrary files on the target machine. CVE-2025-58456 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-58456. A base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N). 3.2.6 Relative Path Traversal CWE-23 A relative path traversal vulnerabilty was discovered in Productivity Suite software version 4.2.1.8. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine. CVE-2025-58078 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H). A CVSS v4 score has also been calculated for CVE-2025-58078. A base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:L). 3.2.7 Relative Path Traversal CWE-23 A relative path traversal vulnerabilty was discovered in Productivity Suite software version 4.2.1.8. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary files on the target machine. CVE-2025-58429 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H). A CVSS v4 score has also been calculated for CVE-2025-58429. A base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:L). 3.2.8 Relative Path Traversal CWE-23 A relative path traversal vulnerabilty was discovered in Productivity Suite software version 4.2.1.8. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and create arbitrary directories on the target machine. CVE-2025-59776 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N). A CVSS v4 score has also been calculated for CVE-2025-59776. A base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N). 3.2.9 Relative Path Traversal CWE-23 A relative path traversal vulnerabilty was discovered in Productivity Suite software version 4.2.1.8. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine. CVE-2025-60023 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N). A CVSS v4 score has also been calculated for CVE-2025-60023. A base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Luca Borzacchiello of Nozomi Networks reported these vulnerabilities to AutomationDirect.
4. MITIGATIONS AutomationDirect recommends that users do the following: Update the Productivity Suite programming software to version 4.5.0.x or higher. Update the firmware of Productivity PLCs to the latest version. https://www.automationdirect.com/support/software-downloads Although automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems. It is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems. AutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application. AutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version: Physically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems. Configure network segmentation to isolate the PLC from other devices and systems within the organization. Implement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC. Please refer to AutomationDirect’s security considerations for additional information. If you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY October 23, 2025: Initial Publication