AutomationDirect CLICK Programmable Logic Controller

MonitorCVSS 6.1ICS-CERT ICSA-26-022-02Jan 22, 2026

AutomationDirect

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

AutomationDirect CLICK Programmable Logic Controller contains vulnerabilities (CWE-261: Improper Handling of Insufficient Permissions or Privileges, CWE-256: Plaintext Storage of Password) that allow an attacker with local access and low privilege level to impersonate users, escalate privileges, gain unauthorized access to systems and services, and decrypt sensitive data. Affects CLICK C0-0x, C0-1x, and C2-x series PLCs. CLICK PLUS firmware update to V3.90 addresses these issues; however, the legacy C0 and C2 series have no patch available from the vendor.

What this means

What could happen

An attacker with local access to a CLICK PLC could escalate privileges and decrypt sensitive configuration data, potentially gaining control over industrial processes, changing setpoints, or modifying control logic without authorization.

Who's at risk

Water authorities, municipal utilities, and industrial facilities using AutomationDirect CLICK programmable logic controllers for process automation and control. This includes C0-0x, C0-1x, and C2-x series PLCs commonly used in pump stations, treatment processes, water distribution, and electrical grid automation.

How it could be exploited

An attacker with local access to the PLC or an unprivileged local user account can exploit improper permission handling to escalate privileges. Once elevated, the attacker can decrypt plaintext-stored passwords and gain unauthorized access to PLC functions, allowing modification of process control parameters or logic.

Prerequisites

Local access to the PLC (physical access to a terminal, engineering workstation on the same network segment, or remote access via corporate LAN)
Low-privilege local user account or ability to log on as an unprivileged user
Access to a system or interface where the PLC stores or processes credentials

Local access requiredLow complexity exploitationPrivilege escalation possibleSensitive data in plaintextNo patch available for legacy C0 and C2 seriesNo active exploitation reported (KEV)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (3)

3 pending

ProductAffected VersionsFix Status

CLICK Programmable Logic Controller: C0-0xC0-0xNo fix yet

CLICK Programmable Logic Controller: C0-1xC0-1xNo fix yet

CLICK Programmable Logic Controller: C2-xC2-xNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDIsolate legacy CLICK C0-0x, C0-1x, and C2-x series PLCs from corporate networks and the internet; use only dedicated internal networks or air-gapped systems for device communication

HARDENINGRestrict physical and logical access to CLICK PLCs to authorized personnel only; implement access controls such as login requirements and role-based permissions

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CLICK PLUS series PLCs to firmware version V3.90 or later

Long-term hardening

0/2

HARDENINGEnable system logging on CLICK PLCs and regularly review logs for unauthorized login attempts, privilege escalation attempts, and configuration changes

HARDENINGMaintain secure, tested backups of CLICK PLC configurations and firmware to enable rapid recovery in case of unauthorized modifications

CVEs (2)

CVE-2025-67652 CVE-2025-25051

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f3d298d0-9a70-4eb7-861a-a7f4668e0484

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.