CVE-2025-59484: Click Plus PLC Cryptographic Vulnerability

CVE-2025-59484 Overview

A critical cryptographic vulnerability has been identified in the AutomationDirect Click Plus PLC firmware version 3.60. The vulnerability stems from the use of a broken or risky cryptographic algorithm, specifically an insecure implementation of RSA encryption. This weakness (CWE-327: Use of a Broken or Risky Cryptographic Algorithm) could allow attackers to compromise the confidentiality and integrity of encrypted communications between the PLC and connected systems.

Industrial control systems (ICS) like PLCs are critical infrastructure components that control manufacturing processes, utility systems, and other operational technology environments. A cryptographic weakness in such devices poses significant risks to operational security and can potentially enable unauthorized access, data manipulation, or industrial espionage.

Critical Impact
Attackers exploiting this vulnerability could decrypt sensitive communications, forge authenticated messages, or compromise the integrity of industrial control operations in environments using the affected Click Plus PLC firmware.

Affected Products

AutomationDirect Click Plus PLC - Firmware version 3.60

Discovery Timeline

2025-09-23 - CVE CVE-2025-59484 published to NVD
2025-09-24 - Last updated in NVD database

Technical Details for CVE-2025-59484

Vulnerability Analysis

This vulnerability affects the cryptographic subsystem within the Click Plus PLC firmware version 3.60. The core issue lies in an insecure implementation of the RSA encryption algorithm, which is used to protect communications and potentially authenticate commands to the PLC device.

RSA encryption security depends on proper key generation, adequate key sizes, correct padding schemes, and secure random number generation. When any of these components are implemented incorrectly, the encryption can be weakened to the point where attackers can feasibly break the cryptographic protection.

In industrial control system environments, compromised encryption could allow attackers to intercept and decrypt control commands, inject malicious commands that appear legitimate, or extract sensitive operational data transmitted between the PLC and engineering workstations or SCADA systems.

Root Cause

The root cause of this vulnerability is classified under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). The firmware employs an RSA implementation that does not meet current cryptographic security standards. This could manifest through several potential weaknesses:

Insufficient RSA key length (e.g., 1024-bit or smaller keys that are now considered weak)
Improper or missing padding schemes (e.g., textbook RSA without OAEP padding)
Predictable random number generation during key creation
Improper handling of cryptographic parameters

These implementation flaws fundamentally undermine the security guarantees that RSA encryption is designed to provide.

Attack Vector

The attack vector for this vulnerability is network-based, requiring no authentication or special privileges from the attacker. The attack scenario involves:

Network Access: An attacker positions themselves on the same network as the vulnerable Click Plus PLC, either through direct network access or by compromising an adjacent system.
Traffic Interception: The attacker captures encrypted communications between the PLC and legitimate clients (engineering workstations, HMIs, or SCADA systems).
Cryptographic Attack: Using the weaknesses in the RSA implementation, the attacker performs cryptographic attacks to recover plaintext data or private keys. Depending on the specific implementation flaw, this could involve factoring weak keys, exploiting padding oracle vulnerabilities, or leveraging timing side-channels.
Exploitation: With compromised cryptographic protections, the attacker can decrypt sensitive communications, forge authenticated commands, or potentially gain unauthorized control over the PLC's operations.

The vulnerability requires some user interaction in the attack chain, but the network-accessible nature of PLCs in industrial environments increases the practical exploitability of this flaw.

Detection Methods for CVE-2025-59484

Indicators of Compromise

Unusual network traffic patterns to or from Click Plus PLC devices on non-standard ports
Unexpected firmware modification attempts or configuration changes on PLC devices
Failed authentication attempts followed by successful access without proper credentials
Anomalous command sequences sent to PLCs that deviate from normal operational patterns

Detection Strategies

Implement network monitoring to detect cryptographic protocol anomalies in PLC communications
Deploy ICS-aware intrusion detection systems capable of inspecting industrial protocol traffic
Establish baseline communication patterns for Click Plus PLCs and alert on deviations
Monitor for unauthorized firmware update attempts or configuration changes on affected devices

Monitoring Recommendations

Enable comprehensive logging on network devices monitoring the OT/ICS network segments
Implement asset inventory tracking to identify all Click Plus PLCs running firmware version 3.60
Deploy packet capture capabilities on critical network segments for forensic analysis
Configure SIEM rules to correlate suspicious activities targeting industrial control devices

How to Mitigate CVE-2025-59484

Immediate Actions Required

Identify all AutomationDirect Click Plus PLCs in your environment running firmware version 3.60
Implement network segmentation to isolate affected PLCs from untrusted networks
Apply the principle of least privilege for all network access to ICS environments
Review and restrict remote access capabilities to affected devices until patching is complete

Patch Information

AutomationDirect has been notified of this vulnerability. Organizations should check the AutomationDirect Software Downloads page for updated firmware that addresses this cryptographic vulnerability.

CISA has published an ICS advisory (ICSA-25-266-01) with additional guidance and mitigation recommendations for organizations operating affected devices.

Workarounds

Place affected PLCs behind properly configured firewalls that limit network access to trusted hosts only
Implement VPN tunnels for any remote access requirements to add an additional encryption layer
Deploy network monitoring to detect and alert on any suspicious communication patterns with affected devices
Consider implementing application-layer encryption or authentication mechanisms independent of the PLC's built-in cryptography

bash

# Network segmentation example - restrict PLC access to authorized hosts
# Example iptables rules for Linux-based firewall protecting ICS network

# Allow only authorized engineering workstation to communicate with PLC
iptables -A FORWARD -s 192.168.10.50 -d 192.168.20.100 -j ACCEPT
iptables -A FORWARD -s 192.168.20.100 -d 192.168.10.50 -j ACCEPT

# Block all other traffic to the PLC subnet
iptables -A FORWARD -d 192.168.20.0/24 -j DROP

# Log denied attempts for monitoring
iptables -A FORWARD -d 192.168.20.0/24 -j LOG --log-prefix "ICS_BLOCKED: "

CVE-2025-59484 Overview

Critical Impact
Attackers exploiting this vulnerability could decrypt sensitive communications, forge authenticated messages, or compromise the integrity of industrial control operations in environments using the affected Click Plus PLC firmware.

Affected Products

AutomationDirect Click Plus PLC - Firmware version 3.60

Discovery Timeline

2025-09-23 - CVE CVE-2025-59484 published to NVD
2025-09-24 - Last updated in NVD database

Technical Details for CVE-2025-59484

Vulnerability Analysis

Root Cause

Insufficient RSA key length (e.g., 1024-bit or smaller keys that are now considered weak)
Improper or missing padding schemes (e.g., textbook RSA without OAEP padding)
Predictable random number generation during key creation
Improper handling of cryptographic parameters

These implementation flaws fundamentally undermine the security guarantees that RSA encryption is designed to provide.

Attack Vector

The attack vector for this vulnerability is network-based, requiring no authentication or special privileges from the attacker. The attack scenario involves:

Network Access: An attacker positions themselves on the same network as the vulnerable Click Plus PLC, either through direct network access or by compromising an adjacent system.
Traffic Interception: The attacker captures encrypted communications between the PLC and legitimate clients (engineering workstations, HMIs, or SCADA systems).
Cryptographic Attack: Using the weaknesses in the RSA implementation, the attacker performs cryptographic attacks to recover plaintext data or private keys. Depending on the specific implementation flaw, this could involve factoring weak keys, exploiting padding oracle vulnerabilities, or leveraging timing side-channels.
Exploitation: With compromised cryptographic protections, the attacker can decrypt sensitive communications, forge authenticated commands, or potentially gain unauthorized control over the PLC's operations.

The vulnerability requires some user interaction in the attack chain, but the network-accessible nature of PLCs in industrial environments increases the practical exploitability of this flaw.

Detection Methods for CVE-2025-59484

Indicators of Compromise

Unusual network traffic patterns to or from Click Plus PLC devices on non-standard ports
Unexpected firmware modification attempts or configuration changes on PLC devices
Failed authentication attempts followed by successful access without proper credentials
Anomalous command sequences sent to PLCs that deviate from normal operational patterns

Detection Strategies

Implement network monitoring to detect cryptographic protocol anomalies in PLC communications
Deploy ICS-aware intrusion detection systems capable of inspecting industrial protocol traffic
Establish baseline communication patterns for Click Plus PLCs and alert on deviations
Monitor for unauthorized firmware update attempts or configuration changes on affected devices

Monitoring Recommendations

Enable comprehensive logging on network devices monitoring the OT/ICS network segments
Implement asset inventory tracking to identify all Click Plus PLCs running firmware version 3.60
Deploy packet capture capabilities on critical network segments for forensic analysis
Configure SIEM rules to correlate suspicious activities targeting industrial control devices

How to Mitigate CVE-2025-59484

Immediate Actions Required

Identify all AutomationDirect Click Plus PLCs in your environment running firmware version 3.60
Implement network segmentation to isolate affected PLCs from untrusted networks
Apply the principle of least privilege for all network access to ICS environments
Review and restrict remote access capabilities to affected devices until patching is complete

Patch Information

AutomationDirect has been notified of this vulnerability. Organizations should check the AutomationDirect Software Downloads page for updated firmware that addresses this cryptographic vulnerability.

CISA has published an ICS advisory (ICSA-25-266-01) with additional guidance and mitigation recommendations for organizations operating affected devices.

Workarounds

Place affected PLCs behind properly configured firewalls that limit network access to trusted hosts only
Implement VPN tunnels for any remote access requirements to add an additional encryption layer
Deploy network monitoring to detect and alert on any suspicious communication patterns with affected devices
Consider implementing application-layer encryption or authentication mechanisms independent of the PLC's built-in cryptography

bash

# Network segmentation example - restrict PLC access to authorized hosts
# Example iptables rules for Linux-based firewall protecting ICS network

# Allow only authorized engineering workstation to communicate with PLC
iptables -A FORWARD -s 192.168.10.50 -d 192.168.20.100 -j ACCEPT
iptables -A FORWARD -s 192.168.20.100 -d 192.168.10.50 -j ACCEPT

# Block all other traffic to the PLC subnet
iptables -A FORWARD -d 192.168.20.0/24 -j DROP

# Log denied attempts for monitoring
iptables -A FORWARD -d 192.168.20.0/24 -j LOG --log-prefix "ICS_BLOCKED: "

CVE-2025-59484: Click Plus PLC Cryptographic Vulnerability

CVE-2025-59484 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-59484

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-59484

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-59484

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-59484: Click Plus PLC Cryptographic Vulnerability

CVE-2025-59484 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-59484

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-59484

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-59484

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform