CISA Emergency Alert: Critical RCE Flaw (CVSS 10.0) Exposes AutomationDirect PLCs to Unauthenticated Takeover
Estimated reading time: 10 minutes
Key takeaways:
- CISA issued an emergency alert regarding a critical RCE flaw (CVE-2025-61934) in AutomationDirect PLCs.
- Successful exploitation could allow unauthenticated remote attackers to gain complete control over affected systems.
- Update AutomationDirect Productivity Suite to version 4.5.0.x immediately and implement recommended mitigation strategies.
- Organizations should implement a comprehensive cybersecurity strategy, including regular breach detection, supply-chain risk monitoring, and penetration testing.
Table of contents:
- CISA Emergency Alert: Critical RCE Flaw (CVSS 10.0) Exposes AutomationDirect PLCs to Unauthenticated Takeover
- Critical RCE Vulnerability in AutomationDirect PLCs
- Technical Details of the Vulnerabilities
- Implications for Industrial Control Systems (ICS)
- Mitigation Strategies
- Practical Takeaways for Technical and Non-Technical Readers
- PurpleOps Expertise
- Conclusion
- FAQ
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency alert regarding a critical remote code execution (RCE) flaw affecting AutomationDirect Programmable Logic Controllers (PLCs). This CISA emergency alert highlights the severe risk posed by CVE-2025-61934, which carries the highest possible CVSS score of 10.0, allowing unauthenticated remote attackers to gain complete control over affected systems.
Critical RCE Vulnerability in AutomationDirect PLCs
CISA’s advisory warns of nine vulnerabilities in AutomationDirect’s Productivity Suite engineering software and Productivity PLCs. The most critical of these vulnerabilities is CVE-2025-61934, a “binding to an unrestricted IP address” issue in the Productivity Suite simulator service. This critical RCE flaw allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and read, write, or delete arbitrary files and folders on the target machine.
Successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary code, disclose information, gain full-control access to projects, or obtain read and write access to files. This level of access could be leveraged to overwrite configuration files, plant malicious code, or manipulate industrial control logic, potentially disrupting automation processes.
The affected AutomationDirect Productivity PLC models include the P3-622, P3-550E, P2-622, and P1-550 CPUs. The vulnerabilities reside in Productivity Suite version 4.4.1.19 and prior.
Several related vulnerabilities (CVE-2025-62498, CVE-2025-58456, CVE-2025-58078, CVE-2025-58429, CVE-2025-59776, and CVE-2025-60023) involve relative path traversal (ZipSlip) flaws, which could allow attackers to read, modify, delete, or create arbitrary files and directories on affected systems. One of these, CVE-2025-62498, received a CVSS score of 8.8 for enabling arbitrary code execution on the host where a compromised project file is opened.
Additionally, CVE-2025-62688 addresses an incorrect permission assignment vulnerability that could let a low-privileged user escalate privileges and “gain full control access to the project.” This issue carries a CVSS score of 7.1. Another notable vulnerability, CVE-2025-61977 (CVSS 7.0), arises from a weak password recovery mechanism in the Productivity Suite. The advisory warns that “an attacker could decrypt an encrypted project by answering just one recovery question.” This could enable unauthorized access to sensitive project data, including PLC configurations, credentials, or intellectual property tied to industrial automation workflows.
Technical Details of the Vulnerabilities
The most severe vulnerability, CVE-2025-61934, stems from the Productivity Suite simulator service binding to an unrestricted IP address. This means the service listens on all available network interfaces, making it accessible to any device on the network, including potentially malicious actors. Because no authentication is required to interact with the simulator service, an attacker can send commands to read, write, or delete arbitrary files on the system. This unrestricted file access provides a direct pathway to remote code execution.
The ZipSlip vulnerabilities (CVE-2025-62498, CVE-2025-58456, CVE-2025-58078, CVE-2025-58429, CVE-2025-59776, and CVE-2025-60023) occur when the software improperly handles ZIP archives containing files with path names that include “..” sequences. By crafting a malicious ZIP archive, an attacker can overwrite files outside the intended extraction directory. This could be used to replace critical system files with malicious versions, leading to arbitrary code execution.
The incorrect permission assignment vulnerability (CVE-2025-62688) allows a low-privileged user to gain full control access to a project. This could be exploited by an insider or an attacker who has already gained limited access to the system.
The weak password recovery mechanism (CVE-2025-61977) allows an attacker to decrypt an encrypted project by answering just one recovery question. This significantly weakens the security of project files, making them vulnerable to unauthorized access.
Implications for Industrial Control Systems (ICS)
PLCs are critical components of industrial control systems (ICS), responsible for automating and controlling various industrial processes. These systems are used in a wide range of industries, including manufacturing, energy, transportation, and water treatment. The CISA emergency alert underscores the potentially devastating consequences of a successful attack on these systems.
Compromising a PLC could lead to:
- Disruption of industrial processes: Attackers could manipulate PLC code to halt production, damage equipment, or cause environmental disasters.
- Theft of sensitive data: Attackers could steal intellectual property, trade secrets, or customer data.
- Physical damage: In some cases, attackers could manipulate PLCs to cause physical damage to equipment or infrastructure.
- Supply-chain risk monitoring: Compromised PLCs can serve as entry points into a company’s network, potentially leading to further breaches and impacting the wider supply chain.
Mitigation Strategies
AutomationDirect has released Productivity Suite version 4.5.0.x to address all nine identified vulnerabilities and strongly urges users to update both software and firmware immediately.
For environments where immediate patching is not possible, AutomationDirect and CISA recommend the following interim mitigations:
- Physically disconnecting PLCs from external networks and the internet.
- Segmenting control networks from business or enterprise systems.
- Implementing strict firewall or NAC policies to block unauthorized inbound/outbound traffic.
- Using VPNs for remote access – but only with up-to-date and secured endpoints.
Beyond these immediate steps, organizations should implement a comprehensive cybersecurity strategy that includes:
- Regular breach detection exercises to identify and respond to intrusions.
- Implementing supply-chain risk monitoring to assess and mitigate risks associated with third-party vendors and suppliers.
- Utilizing a cyber threat intelligence platform to stay informed about emerging threats and vulnerabilities.
- Implementing a dark web monitoring service to detect compromised credentials or sensitive data being sold online.
- Utilizing real-time ransomware intelligence to proactively defend against ransomware attacks.
- Configuring telegram threat monitoring to receive alerts about emerging threats and vulnerabilities.
- Implementing live ransomware API integration to automate threat detection and response.
- Leveraging underground forum intelligence to gain insights into attacker tactics and techniques.
- Setting up brand leak alerting to detect unauthorized use of company logos or trademarks.
- Regular penetration testing to identify and remediate vulnerabilities in systems and applications.
Practical Takeaways for Technical and Non-Technical Readers
For Technical Readers:
- Patch Immediately: Prioritize patching AutomationDirect Productivity Suite to version 4.5.0.x. Ensure all affected PLC firmware is also updated.
- Network Segmentation: Implement strict network segmentation to isolate the ICS environment from the corporate network.
- Access Controls: Review and enforce strict access control policies, limiting access to PLCs and related systems to only authorized personnel.
- Intrusion Detection: Implement intrusion detection systems (IDS) to monitor network traffic for malicious activity targeting PLCs.
- Vulnerability Scanning: Conduct regular vulnerability scans to identify and remediate weaknesses in PLC systems.
- Implement a robust patch management process: Make sure you have a cyber threat intelligence team in charge of monitoring new CVEs and patching critical vulnerabilities.
- Establish proper security policies: Define access control, password policies, and incident response plans.
- Ensure proper backup and disaster recovery: Back up your PLC configurations regularly and establish a plan to restore the operation in case of attack.
For Non-Technical Readers (Business Leaders):
- Raise Awareness: Communicate the severity of the threat to all stakeholders, including IT, OT, and executive leadership.
- Allocate Resources: Ensure adequate resources are allocated to implement the recommended mitigation strategies.
- Verify Patching: Confirm that the IT/OT teams have applied the necessary patches and mitigations.
- Third-Party Audit: Consider engaging a third-party cybersecurity firm to conduct an audit of the ICS environment.
- Incident Response Plan: Review and update the incident response plan to address potential PLC compromises.
- Employee training: Train your employees on security best practices, including how to identify and avoid phishing attacks and social engineering attempts.
- Implement multi-factor authentication (MFA): Enable MFA for all remote access and privileged accounts to prevent unauthorized access.
- Stay informed: Regularly monitor threat intelligence feeds and security advisories for new vulnerabilities and threats targeting industrial control systems.
PurpleOps Expertise
PurpleOps provides a comprehensive suite of cybersecurity PurpleOps Solutions to help organizations protect their industrial control systems from threats like the critical RCE flaw in AutomationDirect PLCs. Our services include:
- Cyber Threat Intelligence: Access to real-time threat intelligence feeds to stay ahead of emerging threats.
- Dark Web Monitoring: Proactive monitoring of the dark web for compromised credentials and sensitive data.
- Breach Detection: Advanced breach detection capabilities to identify and respond to intrusions quickly.
- Supply Chain Risk Monitoring: Assessment and mitigation of cybersecurity risks associated with third-party vendors and suppliers.
- Penetration Testing: Thorough testing of systems and applications to identify and remediate vulnerabilities.
- Red Team Operations: Simulate real-world attacks to evaluate the effectiveness of security controls.
- Underground Forum Intelligence: Monitoring of underground forums to gather insights into attacker tactics and techniques.
- Real-time Ransomware Intelligence: Proactive defense against ransomware attacks.
Conclusion
The CISA emergency alert regarding the critical RCE flaw in AutomationDirect PLCs serves as a stark reminder of the importance of cybersecurity in industrial control systems. Organizations must take immediate action to patch affected systems and implement robust security controls to protect their critical infrastructure.
To learn more about how PurpleOps can help your organization secure its industrial control systems, explore our platform or PurpleOps Solutions today.
FAQ
Q: What is the CVSS score of the critical RCE flaw?
A: The CVSS score is 10.0, the highest possible.
Q: Which AutomationDirect PLC models are affected?
A: The affected models include P3-622, P3-550E, P2-622, and P1-550 CPUs.
Q: What version of Productivity Suite fixes the vulnerabilities?
A: Version 4.5.0.x addresses all nine identified vulnerabilities.
Q: What are some interim mitigation strategies?
A: Physically disconnecting PLCs, segmenting networks, and implementing strict firewall policies.