CVE-2025-58078 (GCVE-0-2025-58078)
Vulnerability from cvelistv5
Published
2025-10-23 22:09
Modified
2025-10-24 14:28
Severity ?
8.3 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:L
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H
CWE
Summary
A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine.
References
Impacted products
Vendor Product Version
AutomationDirect Productivity Suite Version: 0   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58078",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-24T14:28:48.950645Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-24T14:28:56.329Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Productivity Suite",
          "vendor": "AutomationDirect",
          "versions": [
            {
              "lessThanOrEqual": "SW V4.2.1.9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Productivity 3000 P3-622 CPU",
          "vendor": "AutomationDirect",
          "versions": [
            {
              "lessThanOrEqual": "SW V4.2.1.9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Productivity 3000 P3-550E CPU",
          "vendor": "AutomationDirect",
          "versions": [
            {
              "lessThanOrEqual": "SW V4.2.1.9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Productivity 3000 P3-530 CPU",
          "vendor": "AutomationDirect",
          "versions": [
            {
              "lessThanOrEqual": "SW v4.4.1.19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Productivity 2000 P2-622 CPU",
          "vendor": "AutomationDirect",
          "versions": [
            {
              "lessThanOrEqual": "SW v4.4.1.19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Productivity 2000 P2-550 CPU",
          "vendor": "AutomationDirect",
          "versions": [
            {
              "lessThanOrEqual": "SW v4.4.1.19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Productivity 1000 P1-550 CPU",
          "vendor": "AutomationDirect",
          "versions": [
            {
              "lessThanOrEqual": "SW v4.4.1.19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Productivity 1000 P1-540 CPU",
          "vendor": "AutomationDirect",
          "versions": [
            {
              "lessThan": "SW v4.4.1.19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:automationdirect:productivity_suite:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "sw_v4.2.1.9",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-622_cpu:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "sw_v4.2.1.9",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-550e_cpu:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "sw_v4.2.1.9",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-530_cpu:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "sw_v4.4.1.19",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:automationdirect:productivity_2000_p2-622_cpu:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "sw_v4.4.1.19",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:automationdirect:productivity_2000_p2-550_cpu:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "sw_v4.4.1.19",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:automationdirect:productivity_1000_p1-550_cpu:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "sw_v4.4.1.19",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:automationdirect:productivity_1000_p1-540_cpu:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "sw_v4.4.1.19",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Luca Borzacchiello of Nozomi Networks reported these vulnerabilities to AutomationDirect."
        }
      ],
      "datePublic": "2025-10-23T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA relative path traversal vulnerability was discovered in Productivity Suite software version \n\n4.4.1.19.\n\n\n The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
            }
          ],
          "value": "A relative path traversal vulnerability was discovered in Productivity Suite software version \n\n4.4.1.19.\n\n\n The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-23T22:09:03.834Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01"
        },
        {
          "url": "https://www.automationdirect.com/support/software-downloads"
        },
        {
          "url": "https://support.automationdirect.com/docs/securityconsiderations.pdf"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAutomationDirect recommends that users do the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdate the Productivity Suite programming software to version 4.5.0.x or higher.\u003c/li\u003e\u003cli\u003eUpdate the firmware of Productivity PLCs to the latest version. \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.automationdirect.com/support/software-downloads\"\u003ehttps://www.automationdirect.com/support/software-downloads\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAlthough automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems.\u003c/li\u003e\u003cli\u003eIt is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.\u003c/li\u003e\u003cli\u003eAutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "AutomationDirect recommends that users do the following:\n\n  *  Update the Productivity Suite programming software to version 4.5.0.x or higher.\n  *  Update the firmware of Productivity PLCs to the latest version.  https://www.automationdirect.com/support/software-downloads \n  *  Although automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems.\n  *  It is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.\n  *  AutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application."
        }
      ],
      "source": {
        "advisory": "ICSA-25-296-01",
        "discovery": "EXTERNAL"
      },
      "title": "AutomationDirect Productivity Suite  Relative Path Traversal",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhysically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.\u003c/li\u003e\u003cli\u003eConfigure network segmentation to isolate the PLC from other devices and systems within the organization.\u003c/li\u003e\u003cli\u003eImplement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.\u003c/li\u003e\u003cli\u003ePlease refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.automationdirect.com/docs/securityconsiderations.pdf\"\u003eAutomationDirect\u0027s security considerations\u003c/a\u003e\u0026nbsp;for additional information.\u003c/li\u003e\u003cli\u003eIf you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "AutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:\n\n  *  Physically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.\n  *  Configure network segmentation to isolate the PLC from other devices and systems within the organization.\n  *  Implement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.\n  *  Please refer to  AutomationDirect\u0027s security considerations https://support.automationdirect.com/docs/securityconsiderations.pdf \u00a0for additional information.\n  *  If you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-58078",
    "datePublished": "2025-10-23T22:09:03.834Z",
    "dateReserved": "2025-10-21T21:55:11.872Z",
    "dateUpdated": "2025-10-24T14:28:56.329Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-58078\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-10-23T22:15:41.263\",\"lastModified\":\"2025-10-27T13:20:15.637\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A relative path traversal vulnerability was discovered in Productivity Suite software version \\n\\n4.4.1.19.\\n\\n\\n The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-23\"}]}],\"references\":[{\"url\":\"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://support.automationdirect.com/docs/securityconsiderations.pdf\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.automationdirect.com/support/software-downloads\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-58078\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-24T14:28:48.950645Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-24T14:28:53.025Z\"}}], \"cna\": {\"title\": \"AutomationDirect Productivity Suite  Relative Path Traversal\", \"source\": {\"advisory\": \"ICSA-25-296-01\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Luca Borzacchiello of Nozomi Networks reported these vulnerabilities to AutomationDirect.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:L\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"AutomationDirect\", \"product\": \"Productivity Suite\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"SW V4.2.1.9\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"AutomationDirect\", \"product\": \"Productivity 3000 P3-622 CPU\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"SW V4.2.1.9\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"AutomationDirect\", \"product\": \"Productivity 3000 P3-550E CPU\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"SW V4.2.1.9\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"AutomationDirect\", \"product\": \"Productivity 3000 P3-530 CPU\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"SW v4.4.1.19\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"AutomationDirect\", \"product\": \"Productivity 2000 P2-622 CPU\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"SW v4.4.1.19\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"AutomationDirect\", \"product\": \"Productivity 2000 P2-550 CPU\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"SW v4.4.1.19\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"AutomationDirect\", \"product\": \"Productivity 1000 P1-550 CPU\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"SW v4.4.1.19\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"AutomationDirect\", \"product\": \"Productivity 1000 P1-540 CPU\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"SW v4.4.1.19\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"AutomationDirect recommends that users do the following:\\n\\n  *  Update the Productivity Suite programming software to version 4.5.0.x or higher.\\n  *  Update the firmware of Productivity PLCs to the latest version.  https://www.automationdirect.com/support/software-downloads \\n  *  Although automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems.\\n  *  It is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.\\n  *  AutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAutomationDirect recommends that users do the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdate the Productivity Suite programming software to version 4.5.0.x or higher.\u003c/li\u003e\u003cli\u003eUpdate the firmware of Productivity PLCs to the latest version. \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.automationdirect.com/support/software-downloads\\\"\u003ehttps://www.automationdirect.com/support/software-downloads\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAlthough automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems.\u003c/li\u003e\u003cli\u003eIt is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.\u003c/li\u003e\u003cli\u003eAutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application.\u003c/li\u003e\u003c/ul\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2025-10-23T16:00:00.000Z\", \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01\"}, {\"url\": \"https://www.automationdirect.com/support/software-downloads\"}, {\"url\": \"https://support.automationdirect.com/docs/securityconsiderations.pdf\"}, {\"url\": \"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"AutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:\\n\\n  *  Physically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.\\n  *  Configure network segmentation to isolate the PLC from other devices and systems within the organization.\\n  *  Implement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.\\n  *  Please refer to  AutomationDirect\u0027s security considerations https://support.automationdirect.com/docs/securityconsiderations.pdf \\u00a0for additional information.\\n  *  If you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhysically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.\u003c/li\u003e\u003cli\u003eConfigure network segmentation to isolate the PLC from other devices and systems within the organization.\u003c/li\u003e\u003cli\u003eImplement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.\u003c/li\u003e\u003cli\u003ePlease refer to \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://support.automationdirect.com/docs/securityconsiderations.pdf\\\"\u003eAutomationDirect\u0027s security considerations\u003c/a\u003e\u0026nbsp;for additional information.\u003c/li\u003e\u003cli\u003eIf you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance.\u003c/li\u003e\u003c/ul\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.4.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A relative path traversal vulnerability was discovered in Productivity Suite software version \\n\\n4.4.1.19.\\n\\n\\n The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA relative path traversal vulnerability was discovered in Productivity Suite software version \\n\\n4.4.1.19.\\n\\n\\n The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"CWE-23\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:automationdirect:productivity_suite:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"sw_v4.2.1.9\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:automationdirect:productivity_3000_p3-622_cpu:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"sw_v4.2.1.9\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:automationdirect:productivity_3000_p3-550e_cpu:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"sw_v4.2.1.9\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:automationdirect:productivity_3000_p3-530_cpu:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"sw_v4.4.1.19\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:automationdirect:productivity_2000_p2-622_cpu:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"sw_v4.4.1.19\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:automationdirect:productivity_2000_p2-550_cpu:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"sw_v4.4.1.19\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:automationdirect:productivity_1000_p1-550_cpu:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"sw_v4.4.1.19\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:automationdirect:productivity_1000_p1-540_cpu:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"sw_v4.4.1.19\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-10-23T22:09:03.834Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-58078\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-24T14:28:56.329Z\", \"dateReserved\": \"2025-10-21T21:55:11.872Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-10-23T22:09:03.834Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.