What vulnerabilities affect AutomationDirect Productivity Suite?

AutomationDirect is reporting multiple security vulnerabilities affecting its Productivity Suite programming software and Productivity programmable logic controllers (PLCs). Successful exploitation could enable attackers to execute arbitrary code, access sensitive information, gain full-control access to projects, or obtain unauthorized read and write access to files on target machines.

What is CVE-2025-61934 in AutomationDirect Productivity Suite?

CVE-2025-61934 is a critical vulnerability with a CVSS score of 9.3 involving binding to an unrestricted IP address in Productivity Suite software version 4.2.1.8. This flaw allows unauthenticated remote attackers to interact with the ProductivityService PLC simulator and read, write, or delete arbitrary files and folders.

What is CVE-2025-62498 in AutomationDirect software?

CVE-2025-62498 is a relative path traversal (ZipSlip) vulnerability with a CVSS score of 8.6 in Productivity Suite software version 4.2.1.8 that allows attackers who can edit a productivity project to execute arbitrary code on machines where the compromised project is opened.

What are the path traversal vulnerabilities in Productivity Suite?

Multiple relative path traversal vulnerabilities affect Productivity Suite version 4.2.1.8, including CVE-2025-58078 (write files), CVE-2025-58429 (delete files), CVE-2025-58456 (read files), CVE-2025-59776 (create directories), and CVE-2025-60023 (delete directories). These allow unauthenticated remote attackers to interact with the ProductivityService PLC simulator.

What is CVE-2025-61977 in AutomationDirect Productivity Suite?

CVE-2025-61977 is a weak password recovery mechanism vulnerability with a CVSS score of 7.3 in Productivity Suite software version 4.4.1.19. This flaw allows attackers to decrypt encrypted projects by answering just one recovery question.

What is CVE-2025-62688 in Productivity Suite software?

CVE-2025-62688 is an incorrect permission assignment vulnerability with a CVSS score of 6.9 in Productivity Suite software version 4.2.1.8 that enables attackers with low-privileged credentials to escalate their permissions and change their role, gaining full control access to projects.

Advisory

Multiple vulnerabilities reported in AutomationDirect Productivity Suite and PLCs, at least one critical

Q: Which AutomationDirect products are affected by these vulnerabilities?

Affected products include Productivity Suite programming software version 4.2.1.9 and prior, and multiple Productivity PLC models including Productivity 3000 (P3-622, P3-550E, P3-530), Productivity 2000 (P2-622, P2-550), and Productivity 1000 (P1-550, P1-540) CPUs with firmware version 4.4.1.19 and prior.

Q: Has AutomationDirect released patches for the Productivity Suite vulnerabilities?

Yes, AutomationDirect strongly recommends that users update their Productivity Suite programming software to version 4.5.0.x or higher and upgrade the firmware of all Productivity PLCs to the latest available version.

Q: What should organizations do if they cannot patch AutomationDirect PLCs immediately?

Organizations that cannot immediately upgrade should disconnect PLCs from all external networks, including the internet, local area networks, and other interconnected systems. They should also implement network segmentation to isolate PLCs from other devices and systems within their infrastructure.

published: Oct. 23, 2025

Take action: If you use AutomationDirect Productivity Suite software or PLCs, plan a quick update to version 4.5.0.x or later. In the meantime make sure they are isolated from the internet and accessible from trusted networks.

Learn More

AutomationDirect is reporting multiple security vulnerabilities affecting its Productivity Suite programming software and Productivity programmable logic controllers (PLCs). Successful exploitation of these vulnerabilities could enable attackers to execute arbitrary code, access sensitive information, gain full-control access to projects, or obtain unauthorized read and write access to files on target machines.

Vulnerabilities summary:

CVE-2025-61934 (CVSS score 9.3): A binding to an unrestricted IP address in Productivity Suite software version 4.2.1.8. This flaw allows unauthenticated remote attackers to interact with the ProductivityService PLC simulator and read, write, or delete arbitrary files and folders.
CVE-2025-62498 (CVSS score 8.6): A relative path traversal (ZipSlip) vulnerability in Productivity Suite software version 4.2.1.8 that allows attackers who can edit a productivity project to execute arbitrary code on machines where the compromised project is opened.
CVE-2025-58078 (CVSS score 8.3): A relative path traversal vulnerability in Productivity Suite software version 4.2.1.8 enabling unauthenticated remote attackers to interact with the ProductivityService PLC simulator and write files containing arbitrary data on target machines.
CVE-2025-58429 (CVSS score 8.3): A relative path traversal vulnerability in Productivity Suite software version 4.2.1.8 that allows unauthenticated remote attackers to interact with the ProductivityService PLC simulator and delete arbitrary files on target machines.
CVE-2025-58456 (CVSS score 8.2): A relative path traversal vulnerability in Productivity Suite software version 4.2.1.8 that permits unauthenticated remote attackers to interact with the ProductivityService PLC simulator and read arbitrary files on target machines.
CVE-2025-61977 (CVSS score 7.3): A weak password recovery mechanism for forgotten passwords in Productivity Suite software version v4.4.1.19. This flaw allows attackers to decrypt encrypted projects by answering just one recovery question.
CVE-2025-62688 (CVSS score 6.9): An incorrect permission assignment vulnerability in Productivity Suite software version 4.2.1.8 that enables attackers with low-privileged credentials to escalate their permissions and change their role, gaining full control access to projects.
CVE-2025-59776 (CVSS score 6.3): A relative path traversal vulnerability in Productivity Suite software version 4.2.1.8 permitting unauthenticated remote attackers to interact with the ProductivityService PLC simulator and create arbitrary directories on target machines.
CVE-2025-60023 (CVSS score 6.3): A relative path traversal vulnerability in Productivity Suite software version 4.2.1.8 that allows unauthenticated remote attackers to interact with the ProductivityService PLC simulator and delete arbitrary directories on target machines.

The following AutomationDirect products are affected by these vulnerabilities:

Productivity Suite programming software version 4.2.1.9 and prior
Productivity 3000 P3-622 CPU with firmware SW v4.4.1.19 and prior
Productivity 3000 P3-550E CPU with firmware SW v4.4.1.19 and prior
Productivity 3000 P3-530 CPU with firmware SW v4.4.1.19 and prior
Productivity 2000 P2-622 CPU with firmware SW v4.4.1.19 and prior
Productivity 2000 P2-550 CPU with firmware SW v4.4.1.19 and prior
Productivity 1000 P1-550 CPU with firmware SW v4.4.1.19 and prior
Productivity 1000 P1-540 CPU with firmware SW v4.4.1.19 and prior

AutomationDirect strongly recommends that users update their Productivity Suite programming software to version 4.5.0.x or higher and upgrade the firmware of all Productivity PLCs to the latest available version.

Organizations that cannot immediately upgrade to the patched versions should disconnect PLCs from all external networks, including the internet, local area networks, and other interconnected systems. Organizations should implement network segmentation to isolate PLCs from other devices and systems within their infrastructure.

Multiple vulnerabilities reported in AutomationDirect Productivity Suite and PLCs, at least one critical

Read More
Multiple Vulnerabilities Reported in EVMAPA Electric Vehicle Charging …
Schneider Electric reports critical flaw in Modicon Programmable …
HPE Patches Critical Access Bypass in Telco Service …
Critical remote code execution flaw reported in Industrial …
Siemens patches multiple critical flaws in User Management …