1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: AutomationDirect
- Equipment: CLICK PLUS
- Vulnerabilities: Cleartext Storage of Sensitive Information, Use of Hard-coded Cryptographic Key, Use of a Broken or Risky Cryptographic Algorithm, Predictable Seed in Pseudo-Random Number Generator, Improper Resource Shutdown or Release, Missing Authorization
2. RISK EVALUATION
Successful exploitation of these vulnerabilities disclose sensitive information, modify device settings, escalate privileges, or cause a denial-of-service condition on the affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following AutomationDirect products are affected:
- CLICK PLUS C0-0x CPU firmware: Versions prior to v3.71
- CLICK PLUS C0-1x CPU firmware: Versions prior to v3.71
- CLICK PLUS C2-x CPU firmware: Versions prior to v3.71
3.2 VULNERABILITY OVERVIEW
3.2.1 Cleartext Storage of Sensitive Information CWE-312
Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text.
CVE-2025-54855 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-54855. A base score of 4.1 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories