Critical AutomationDirect PLC Vulnerabilities Expose Manufacturing to Cyber Risk in 2025
Executive Summary
In October 2025, AutomationDirect disclosed multiple critical vulnerabilities affecting its Productivity Suite and a range of Productivity 1000, 2000, and 3000 PLC models, widely deployed in the manufacturing sector. Discovered by Nozomi Networks, the flaws—such as remote code execution, weak password recovery, and unrestricted file system access—could allow unauthenticated attackers to gain full control of affected devices, compromise sensitive project files, and disrupt industrial processes. The vulnerabilities could be exploited remotely with low attack complexity and no user interaction.
This incident highlights rising risks posed by legacy and poorly segmented OT networks, as threat actors increasingly target industrial control systems. The sharp jump in the number and severity of disclosed PLC software vulnerabilities underscores the urgent need for enhanced segmentation, access controls, and monitoring in critical infrastructure environments.
Why This Matters Now
Industrial control system (ICS) environments are facing heightened risk as attackers exploit software and configuration weaknesses to gain deep access. The AutomationDirect incident illustrates how even reputable vendors are susceptible, spotlighting the urgency for organizations to patch PLCs, harden network perimeters, and embrace zero trust strategies in operational networks.
Attack Path Analysis
The attacker initially exploited remote vulnerabilities in the PLC simulator's exposed services to gain unauthorized access. Next, they leveraged misconfigured permissions and weak recovery mechanisms to escalate privileges and control project resources. Once inside, the attacker laterally pivoted to impact adjacent services and workloads. They established command and control by maintaining remote access to the environment, potentially uploading malicious payloads. Exfiltration could occur through outbound network flows or via unauthorized file accesses. Finally, the attacker achieved impact by executing arbitrary code, reading, modifying, or deleting files, or taking full control of ICS operations.
Kill Chain Progression
Initial Compromise
Description
Exploitation of exposed ProductivityService PLC simulator services and relative path traversal vulnerabilities allowed remote, unauthenticated access.
Related CVEs
CVE-2025-62498
CVSS 8.8A relative path traversal (ZipSlip) vulnerability in Productivity Suite software version 4.4.1.19 allows an attacker to execute arbitrary code on the machine where the project is opened.
Affected Products:
AutomationDirect Productivity Suite – 4.4.1.19 and prior
Exploit Status:
no public exploitCVE-2025-61977
CVSS 7A weak password recovery mechanism in Productivity Suite software version 4.4.1.19 allows an attacker to decrypt an encrypted project by answering a single recovery question.
Affected Products:
AutomationDirect Productivity Suite – 4.4.1.19 and prior
Exploit Status:
no public exploitCVE-2025-62688
CVSS 7.1An incorrect permission assignment in Productivity Suite software version 4.4.1.19 allows an attacker with low-privileged credentials to gain full control access to the project.
Affected Products:
AutomationDirect Productivity Suite – 4.4.1.19 and prior
Exploit Status:
no public exploitCVE-2025-61934
CVSS 10A binding to an unrestricted IP address vulnerability in Productivity Suite software version 4.4.1.19 allows an unauthenticated remote attacker to read, write, or delete arbitrary files and folders on the target machine.
Affected Products:
AutomationDirect Productivity Suite – 4.4.1.19 and prior
Exploit Status:
no public exploitCVE-2025-58456
CVSS 6.8A relative path traversal vulnerability in Productivity Suite software version 4.4.1.19 allows an unauthenticated remote attacker to read arbitrary files on the target machine.
Affected Products:
AutomationDirect Productivity Suite – 4.4.1.19 and prior
Exploit Status:
no public exploitCVE-2025-58078
CVSS 7.5A relative path traversal vulnerability in Productivity Suite software version 4.4.1.19 allows an unauthenticated remote attacker to write files with arbitrary data on the target machine.
Affected Products:
AutomationDirect Productivity Suite – 4.4.1.19 and prior
Exploit Status:
no public exploitCVE-2025-58429
CVSS 7.5A relative path traversal vulnerability in Productivity Suite software version 4.4.1.19 allows an unauthenticated remote attacker to delete arbitrary files on the target machine.
Affected Products:
AutomationDirect Productivity Suite – 4.4.1.19 and prior
Exploit Status:
no public exploitCVE-2025-59776
CVSS 4.5A relative path traversal vulnerability in Productivity Suite software version 4.4.1.19 allows an unauthenticated remote attacker to create arbitrary directories on the target machine.
Affected Products:
AutomationDirect Productivity Suite – 4.4.1.19 and prior
Exploit Status:
no public exploitCVE-2025-60023
CVSS 4.5A relative path traversal vulnerability in Productivity Suite software version 4.4.1.19 allows an unauthenticated remote attacker to delete arbitrary directories on the target machine.
Affected Products:
AutomationDirect Productivity Suite – 4.4.1.19 and prior
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Access Token Manipulation
Command and Scripting Interpreter: Windows Command Shell
Valid Accounts
Exploitation of Remote Services
Exfiltration Over Alternative Protocol
Data Manipulation: Stored Data Manipulation
Data from Local System
System Services: Service Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Restrict access to system components and cardholder data by business need to know
Control ID: 7.2.3
NYDFS 23 NYCRR 500 – Information Security Program / Access Privileges
Control ID: 500.03/500.07
DORA (Digital Operational Resilience Act) – ICT Security Requirements
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Strong Authentication and Authorization
Control ID: Identity Pillar - Authentication
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical exposure through AutomationDirect Productivity Suite vulnerabilities enabling remote code execution, file manipulation, and complete system compromise in manufacturing control systems.
Automotive
Manufacturing PLCs vulnerable to unauthenticated remote attacks allowing arbitrary code execution, threatening production line integrity and safety-critical automotive manufacturing processes.
Oil/Energy/Solar/Greentech
SCADA and PLC systems face critical vulnerabilities with CVSS 9.3 scores, enabling attackers to disrupt energy production, manipulate control systems, and compromise infrastructure.
Utilities
Critical infrastructure PLCs susceptible to remote exploitation through path traversal and weak authentication, potentially disrupting power generation, distribution, and essential utility services.
Sources
- AutomationDirect Productivity Suitehttps://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01Verified
- AutomationDirect Security Considerationshttps://support.automationdirect.com/docs/securityconsiderations.pdfVerified
- AutomationDirect Software Downloadshttps://www.automationdirect.com/support/software-downloadsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying cloud network security controls such as zero trust segmentation, encrypted traffic, east-west isolation, and egress enforcement would markedly constrain an attacker's ability to exploit unprotected PLC services, move laterally, and exfiltrate or destruct ICS resources. Proactive visibility, threat detection, and policy enforcement mechanisms would detect and block key stages of the kill chain before significant operational impact could occur.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized access to sensitive ICS workloads and reduces exposure of PLC simulators.
Control: Multicloud Visibility & Control
Mitigation: Detects anomalous privilege changes and misconfigurations in real-time.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized internal communication and confines attacker movement within isolated segments.
Control: Inline IPS (Suricata)
Mitigation: Identifies and blocks C2 traffic and exploit payloads.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized data exfiltration by blocking unsanctioned outbound flows.
Provides real-time alerts of destructive or anomalous activities to enable rapid intervention.
Impact at a Glance
Affected Business Functions
- Manufacturing Operations
- Process Control Systems
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive operational data and intellectual property due to unauthorized access and control over industrial control systems.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation to strictly isolate ICS workloads, PLC simulators, and sensitive resources from external network access.
- • Deploy east-west traffic security and microsegmentation to halt unauthorized lateral movement and contain threats inside the environment.
- • Utilize inline IPS and encrypted traffic controls for real-time inspection and protection against exploit delivery and C2 communication.
- • Implement rigorous egress security and policy enforcement to detect and block unsanctioned outbound data transfers and exfiltration attempts.
- • Augment with comprehensive multicloud visibility, threat detection, and centralized control for rapid incident response and policy assurance.
