CVE-2025-60023

Summary

A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine.

Affected Software

VendorProductVersion RangeStatus
AutomationDirectProductivity Suite0 <= SW V4.2.1.9affected
AutomationDirectProductivity 3000 P3-622 CPU0 <= SW V4.2.1.9affected
AutomationDirectProductivity 3000 P3-550E CPU0 <= SW V4.2.1.9affected
AutomationDirectProductivity 3000 P3-530 CPU0 <= SW v4.4.1.19affected
AutomationDirectProductivity 2000 P2-622 CPU0 <= SW v4.4.1.19affected
AutomationDirectProductivity 2000 P2-550 CPU0 <= SW v4.4.1.19affected
AutomationDirectProductivity 1000 P1-550 CPU0 <= SW v4.4.1.19affected
AutomationDirectProductivity 1000 P1-540 CPU0 < SW v4.4.1.19affected

Weaknesses

  • CWE-23: CWE-23

Workarounds

AutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:

  • Physically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.
  • Configure network segmentation to isolate the PLC from other devices and systems within the organization.
  • Implement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.
  • Please refer to AutomationDirect's security considerations https://support.automationdirect.com/docs/securityconsiderations.pdf  for additional information.
  • If you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References