AutomationDirect CLICK PLUS

Plan Patch8.3ICS-CERT ICSA-25-266-01Sep 23, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

AutomationDirect CLICK PLUS PLC controllers (C0-0x, C0-1x, and C2-x models) with firmware versions below v3.71 contain multiple vulnerabilities (CWE-312, CWE-321, CWE-327, CWE-337, CWE-404, CWE-862) that allow disclosure of sensitive information, modification of device settings, privilege escalation, and denial-of-service conditions. These vulnerabilities require network access and user interaction to exploit. AutomationDirect has released firmware v3.80 to address these issues.

What this means

What could happen

An attacker could read sensitive configuration data from your CLICK PLUS PLC, modify control logic or setpoints, escalate privileges to administrative access, or crash the controller causing process interruption. User interaction (e.g., clicking a link) would be required to trigger the attack.

Who's at risk

Water utilities, municipal electric systems, and industrial facilities using AutomationDirect CLICK PLUS controllers (C0-0x, C0-1x, C2-x CPU modules) in process automation, pump control, or critical infrastructure applications should assess their deployed firmware versions and plan upgrades. These controllers are commonly used in small-to-medium automation systems for water treatment, wastewater, and distribution monitoring.

How it could be exploited

An attacker would need to establish network access to the CLICK PLUS PLC and trick an authorized user (engineer or operator) into clicking a malicious link or opening a crafted file. This would allow the attacker to execute code or commands on the PLC with elevated privileges, potentially altering process behavior or disabling operations. The vulnerability chain involves weak cryptography (CWE-327), missing encryption (CWE-312), and insufficient access controls (CWE-862).

Prerequisites

Network access to the CLICK PLUS PLC
User interaction required (authorized user must click malicious link or open crafted file)
PLC running affected firmware version (below v3.71)

Remotely exploitable over networkRequires user interactionLow attack complexityAffects multiple CWE categories (encryption, access control, information disclosure)No patch available for versions below v3.71

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

CLICK PLUS C2-x CPU firmware: <v3.71<v3.71v3.80

CLICK PLUS C0-0x CPU firmware: <v3.71<v3.71v3.80

CLICK PLUS C0-1x CPU firmware: <v3.71<v3.71v3.80

Remediation & Mitigation

0/8

Do now

0/3

WORKAROUNDDisconnect CLICK PLUS PLC from external networks (internet, corporate LAN) until firmware can be updated; operate on isolated, air-gapped internal network only

HARDENINGRestrict physical and logical access to authorized engineering and operations personnel only; implement role-based access control

HARDENINGEnable logging and monitoring on the PLC and review logs regularly for unauthorized access attempts or configuration changes

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CLICK PLUS firmware to v3.80 or later

Long-term hardening

0/4

HARDENINGLocate CLICK PLUS PLC behind firewall and isolate from business network; ensure device is not accessible from internet

HARDENINGMaintain current, tested backups of PLC configuration and firmware to enable rapid recovery from compromise

HARDENINGImplement endpoint protection (antivirus, EDR) and host-based firewall on engineering workstations that connect to the PLC

HARDENINGTrain authorized users not to click links or open attachments from unsolicited emails that may originate from attacker social engineering campaigns

CVEs (7)

CVE-2025-54855 CVE-2025-58069 CVE-2025-59484 CVE-2025-55069 CVE-2025-58473 CVE-2025-55038 CVE-2025-57882

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/695f9c08-7145-454a-bb03-950427f56a36