CVE-2025-58078 Overview
CVE-2025-58078 is a relative path traversal vulnerability [CWE-23] in AutomationDirect Productivity Suite version 4.4.1.19. The flaw resides in the ProductivityService PLC simulator component. An unauthenticated remote attacker can interact with the service and write files with arbitrary data to the target machine. The vulnerability affects industrial control system (ICS) engineering software used to program AutomationDirect Productivity series programmable logic controllers (PLCs). Because the attack vector is network-based and requires no authentication or user interaction, exposed simulator instances present a direct path to file write primitives on the host.
Critical Impact
Unauthenticated remote attackers can write arbitrary files to engineering workstations running the Productivity Suite PLC simulator, enabling tampering with control logic and downstream impact on operational technology environments.
Affected Products
- AutomationDirect Productivity Suite version 4.4.1.19
- ProductivityService PLC simulator component
- Engineering workstations hosting the Productivity Suite software
Discovery Timeline
- 2025-10-23 - CVE-2025-58078 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-58078
Vulnerability Analysis
The vulnerability is a relative path traversal flaw classified under [CWE-23]. The ProductivityService component exposes a network-accessible interface that handles file operations without properly validating supplied path elements. An attacker can submit crafted path strings containing relative traversal sequences such as ..\ or ../ to escape the intended working directory. The service then writes attacker-controlled data to arbitrary locations within the host file system. No authentication is required to reach the vulnerable interface.
Root Cause
The root cause is insufficient input sanitization on file path parameters consumed by the simulator service. The application accepts file path inputs and concatenates them with a base directory without canonicalizing the result or rejecting traversal sequences. This allows path resolution to redirect writes outside any intended sandbox boundary.
Attack Vector
The attack vector is network-based. An attacker reaches the ProductivityService listener on the host running Productivity Suite and issues a request that includes a relative path traversal payload along with arbitrary file content. The service writes the supplied content to the resolved path with the privileges of the simulator process. Attackers can overwrite project files, drop executables in startup paths, or modify configuration files. Refer to the CISA ICS Advisory ICSA-25-296-01 for vendor-confirmed technical details.
Detection Methods for CVE-2025-58078
Indicators of Compromise
- Unexpected files appearing in system directories, user profile paths, or startup locations on workstations running Productivity Suite
- Modified or newly created files outside the expected Productivity Suite project directories
- Inbound network connections to the ProductivityService listener from untrusted sources or external networks
Detection Strategies
- Monitor file system events on Productivity Suite hosts for write operations originating from the simulator service process to paths outside its installation directory
- Inspect network traffic to the simulator service for request payloads containing path traversal sequences such as ..\, ../, or URL-encoded equivalents (%2e%2e%2f)
- Alert on creation of executables, scripts, or scheduled task definitions on engineering workstations that host PLC programming software
Monitoring Recommendations
- Capture and retain process and file telemetry from engineering workstations in a centralized data lake for retrospective hunting
- Baseline normal ProductivityService network behavior and alert on connections from non-engineering subnets
- Correlate ICS workstation file write events with subsequent process executions to detect post-write code activation
How to Mitigate CVE-2025-58078
Immediate Actions Required
- Identify all hosts running AutomationDirect Productivity Suite version 4.4.1.19 and inventory their network exposure
- Restrict network access to engineering workstations so the ProductivityService listener is unreachable from production, IT, or external networks
- Apply vendor-released updates as published on the AutomationDirect Software Downloads page
- Review file system integrity on affected hosts for unauthorized writes
Patch Information
AutomationDirect publishes Productivity Suite updates through its software downloads portal. Administrators should consult the CISA ICS Advisory ICSA-25-296-01 and the AutomationDirect Security Considerations document for the fixed version and recommended deployment steps. The advisory references the GitHub CSAF Document for machine-readable vulnerability data.
Workarounds
- Run Productivity Suite only on isolated engineering workstations segmented from operational and corporate networks
- Block inbound traffic to the simulator service at the host firewall when the simulator is not actively in use
- Disable or stop the ProductivityService simulator when development work is not in progress
- Follow the network segmentation and defense-in-depth practices outlined in the CISA ICS advisory for control system environments
# Example host firewall rule (Windows) to block remote access to the simulator service
# Replace <PORT> with the ProductivityService listener port observed in your environment
netsh advfirewall firewall add rule name="Block ProductivityService Remote" ^
dir=in action=block protocol=TCP localport=<PORT> ^
remoteip=any profile=any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
