CVE-2025-58429 Overview
CVE-2025-58429 is a relative path traversal vulnerability [CWE-23] in AutomationDirect Productivity Suite version 4.4.1.19. The flaw resides in the ProductivityService PLC simulator component. An unauthenticated remote attacker can interact with the service and delete arbitrary files on the host running the software. The issue is tracked in CISA ICS Advisory ICSA-25-296-01 and affects engineering workstations used to develop and simulate programmable logic controller (PLC) projects.
Critical Impact
Unauthenticated remote attackers can delete arbitrary files on systems running the vulnerable Productivity Suite, disrupting PLC project files, engineering workflows, and supporting operating system components.
Affected Products
- AutomationDirect Productivity Suite version 4.4.1.19
- ProductivityService PLC simulator component
- Engineering workstations running the affected software
Discovery Timeline
- 2025-10-23 - CVE-2025-58429 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-58429
Vulnerability Analysis
The vulnerability is a relative path traversal classified under [CWE-23]. The ProductivityService, a network-facing simulator process bundled with Productivity Suite, accepts file path input from remote clients without sufficient validation. An attacker can supply path traversal sequences such as ..\ or ../ to escape the intended working directory. The service then performs file deletion against the resolved location.
Because the service exposes this functionality over the network without authentication, the attacker does not need credentials or user interaction. The impact is concentrated on integrity and availability: arbitrary files reachable by the service account can be removed, which can corrupt PLC projects, break the simulator runtime, or damage operating system files. Confidentiality is not directly impacted, but downstream effects on industrial control system (ICS) operations can be significant.
Root Cause
The root cause is missing canonicalization and validation of user-supplied file paths before passing them to file system delete operations. The service does not restrict resolved paths to an allow-listed base directory, allowing relative traversal sequences to reach arbitrary locations on disk.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker with reachability to the ProductivityService listener sends a crafted request containing traversal sequences in a file path parameter. The service resolves the path and deletes the targeted file. See CISA ICS Advisory ICSA-25-296-01 for protocol-level details.
No verified public exploit code is available. The vulnerability mechanism is described in prose only; refer to the GitHub CSAF Document for the authoritative advisory.
Detection Methods for CVE-2025-58429
Indicators of Compromise
- Unexpected deletion of files within Productivity Suite project directories or adjacent operating system paths.
- Inbound network connections to the ProductivityService listener from unknown or external sources.
- Application or simulator crashes following remote interaction with the service.
- Windows Security or Sysmon FileDelete events originating from the Productivity Suite service process targeting files outside its expected working directory.
Detection Strategies
- Monitor process-level file deletion events from the ProductivityService binary and alert when target paths contain ..\ or ../ sequences or resolve outside the install directory.
- Inspect network traffic to the ProductivityService port for path parameters containing traversal patterns.
- Correlate file deletion events on engineering workstations with concurrent network sessions to the simulator service.
Monitoring Recommendations
- Enable file system auditing on the Productivity Suite installation directory and parent paths.
- Forward endpoint telemetry from engineering workstations to a centralized SIEM for correlation with ICS network logs.
- Track availability of PLC project files via integrity monitoring to surface unauthorized deletions quickly.
How to Mitigate CVE-2025-58429
Immediate Actions Required
- Restrict network access to engineering workstations running Productivity Suite using host firewalls and network segmentation, per AutomationDirect Security Considerations.
- Block external reachability to the ProductivityService listener and limit inbound connections to trusted engineering hosts only.
- Place affected systems behind ICS demilitarized zones (DMZs) and require VPN access for remote engineering work.
- Back up PLC project files and engineering data to offline storage to enable recovery from unauthorized deletion.
Patch Information
AutomationDirect provides updated software via the AutomationDirect Software Downloads portal. Apply the vendor-supplied fixed version as documented in CISA ICS Advisory ICSA-25-296-01. Verify the installed version is later than 4.4.1.19 after upgrade.
Workarounds
- Disable the PLC simulator service when not actively in use for development or testing.
- Enforce strict host firewall rules permitting connections to the simulator only from localhost or designated engineering IP addresses.
- Operate Productivity Suite under a low-privilege Windows account to limit the file scope reachable for deletion.
- Isolate engineering workstations from operational technology (OT) networks and the public internet in line with CISA defense-in-depth guidance.
# Example Windows Firewall rule restricting ProductivityService inbound access to localhost
netsh advfirewall firewall add rule name="Block ProductivityService External" ^
dir=in action=block program="C:\Program Files\AutomationDirect\Productivity Suite\ProductivityService.exe" ^
enable=yes profile=any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
