CISA Emergency Alert: Critical RCE Flaw (CVSS 10.0) Exposes AutomationDirect PLCs to Unauthenticated Takeover
Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of multiple high-severity vulnerabilities affecting AutomationDirect’s Productivity Programmable Logic Controllers (PLCs) and the Productivity Suite engineering software. Successful exploitation could allow attackers to execute arbitrary code, gain full control over PLC projects, or manipulate system files remotely.
In its latest ICS advisory, CISA revealed that “successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary code, disclose information, gain full-control access to projects, or obtain read and write access to files.”
The flaws, discovered in Productivity Suite version 4.4.1.19 and prior, affect a range of AutomationDirect Productivity PLC models, including the P3-622, P3-550E, P2-622, and P1-550 CPUs. CISA rated one of the vulnerabilities a CVSS score of 10.0, the highest possible, due to its potential for unauthenticated remote exploitation.
The most severe flaw, CVE-2025-61934, is a “binding to an unrestricted IP address” issue in the Productivity Suite simulator service. According to the advisory, “the vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and read, write, or delete arbitrary files and folders on the target machine.”
The vulnerability earned a CVSS v3.1 base score of 10.0, reflecting its potential for complete system compromise if exploited on a network-accessible instance.
CISA cautions that this exposure could be leveraged by threat actors to overwrite configuration files, plant malicious code, or manipulate industrial control logic, potentially disrupting automation processes.
Several related vulnerabilities (CVE-2025-62498, CVE-2025-58456, CVE-2025-58078, CVE-2025-58429, CVE-2025-59776, and CVE-2025-60023) involve relative path traversal (ZipSlip) flaws, which could allow attackers to read, modify, delete, or create arbitrary files and directories on affected systems.
One of these, CVE-2025-62498, received a CVSS score of 8.8 for enabling arbitrary code execution on the host where a compromised project file is opened.
Additionally, CVE-2025-62688 addresses an incorrect permission assignment vulnerability that could let a low-privileged user escalate privileges and “gain full control access to the project.” This issue carries a CVSS score of 7.1.
Another notable vulnerability, CVE-2025-61977 (CVSS 7.0), arises from a weak password recovery mechanism in the Productivity Suite. The advisory warns that “an attacker could decrypt an encrypted project by answering just one recovery question.”
This could enable unauthorized access to sensitive project data, including PLC configurations, credentials, or intellectual property tied to industrial automation workflows.
AutomationDirect has released Productivity Suite version 4.5.0.x to address all nine identified vulnerabilities and strongly urges users to update both software and firmware immediately.
The vendor emphasizes that “automation control system networks must integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.”
For environments where immediate patching is not possible, AutomationDirect and CISA recommend:
- Physically disconnecting PLCs from external networks and the internet.
- Segmenting control networks from business or enterprise systems.
- Implementing strict firewall or NAC policies to block unauthorized inbound/outbound traffic.
- Using VPNs for remote access — but only with up-to-date and secured endpoints.
Donate