AutomationDirect’s CLICK Plus PLCs are deployed in a wide range of industrial and commercial settings: from factory-floor machinery and building-automation systems to remote process-control installations and even recreational systems such as amusement-park ride controllers.
The device is a compact programmable logic controller that supports ladder-logic programming, I/O expansion, and multiple communication interfaces, including Ethernet, Wi-Fi, and Bluetooth, enabling it to integrate with both local control networks and remote/mobile applications.
Security researchers at Nozomi Networks Labs identified seven vulnerabilities affecting CLICK Plus devices and promptly notified AutomationDirect, providing technical details so the vendor could reproduce and remediate the issues.
We thank AutomationDirect for their prompt response and close collaboration with Nozomi Networks in validating the findings and developing fixes. They published an advisory in coordination with CISA and addressed the reported vulnerabilities in a timely manner. Operators should follow the vendor's guidance and apply the recommended updates immediately.
リサーチ範囲
This research targeted the CLICK Plus family of PLCs from AutomationDirect, with a focused analysis of the C2-03CPU-2 model, which includes both Wi-Fi and Bluetooth interfaces. We selected the C2-03CPU-2 because its wireless capabilities make it representative of field-deployed units that are accessed from workstations and mobile devices.
The devices communicate with workstations using a proprietary, UDP-based protocol, and a slightly modified variant of that same protocol runs over Bluetooth and the wireless interface used by mobile applications. That protocol was a major focus of our work: we examined its connection and key-exchange phases, message formats, and the mechanisms intended to ensure confidentiality, integrity, and session management, looking specifically for implementation choices that could undermine otherwise sound designs.
In addition to the network protocol, our scope included the software ecosystem used to program and manage CLICK Plus devices, specifically the CLICK Programming Software (the workstation client) and the Android and iOS mobile applications.
Attack Scenario
CLICK Plus PLCs are widely used in factory-floor machinery and building-automation systems. You can think of a PLC as an orchestrator that controls an industrial automation process, for example a conveyor belt system, ensuring that it operates at a specified speed regardless of the objects on it. To do this, it relies on sensors that monitor parameters such as speed and load, and on actuators like motors that drive the conveyor.
A conveyor belt can serve many purposes. For example, it may transport packages through a sorting system, automatically lifting, turning, and distributing them. If the conveyor malfunctions, items can be misplaced or damaged, and the entire production line may be disrupted, leading to huge economic loss.
This section describes how the vulnerabilities discovered by Nozomi Networks Labs could affect a production facility where a PLC controls conveyor-belt systems used for sorting and packaging final products.
The described attack chain requires the attacker to access the network on which the PLC operates and to monitor packets exchanged within it. Standard operational controls should normally prevent such access, but attackers can still obtain a foothold in several ways: by gaining physical access to network ports, exploiting an exposed remote-maintenance interface, compromising a workstation or industrial gateway connected to the PLC network, or abusing weak network segmentation and misconfigured VPNs. Any of these footholds could allow an attacker to start the attack chain and enable destructive behavior.
Figure 2 illustrates the attack flow. The attacker first positions themselves.Once such access is established, the attacker positions themselves on the network and passively monitors traffic, waiting for an operator (or a machine) to connect to the PLC.
As soon as the attacker detects a login to the device, they begin inspecting the exchanged traffic. As mentioned earlier, the CLICK Plus PLC uses a proprietary UDP-based protocol to communicate with other devices over the network. Although this protocol is designed to provide encryption and authentication, implementation flaws allow the attacker to decrypt the traffic and recover operator credentials (issues tracked as CVE-2025-59484 and CVE-2025-55069, see “Vulnerabilities Spotlight: Protocol Encryption Issues”). With these credentials, the attacker can successfully authenticate to the PLC.
The attacker aims to disrupt factory operations by altering the normal behavior of the conveyor belt, but before doing so, they seek to avoid interruption and blind HMIs and monitoring interfaces. Thus, the attacker exploits two additional protocol flaws that allow them to saturate available sessions (issues tracked as CVE-2025-58473 and CVE-2025-57882). Although CLICK Plus devices can also be monitored via Bluetooth, CVE-2025-57882 enables the attacker to saturate those sessions over the network without requiring physical proximity.
With operator access effectively blocked, the attacker can operate undisturbed and read / overwrite any I/O values exposed by the controller. This capability may be possible even with lower-privilege credentials because of the issue tracked as CVE-2025-55038.
By manipulating the controller’s I/O values, the attacker can finally alter belt speeds, override or disable safety interlocks, and falsify sensor readings. These actions can destroy product batches, halt production, and create immediate physical danger for operators working at or near the line.
脆弱性リストと影響を受けるバージョン
The following table list all the vulnerabilities Nozomi Networks Labs has found on the AutomationDirect CLICK Plus family version up to v3.71 during this vulnerability research:
脆弱性の潜在的影響
The vulnerabilities we discovered in CLICK Plus devices map directly to several Impacts in the MITRE ATT&CK® for ICS framework. Below are three particularly relevant ones and how the CLICK Plus weaknesses could enable each.
T0831: Manipulation of Control
Because the protocol implementation allows an attacker to recover keys and exfiltrate credentials (CVE-2025-59484, CVE-2025-55069), and because CVE-2025-55038 permits reading and overwriting I/O values, an adversary who authenticates to a CLICK Plus unit could change setpoints, flip outputs, or otherwise issue unauthorized control actions. On equipment such as conveyors, pumps, or amusement-park ride controllers, those actions can directly alter the physical process and produce unsafe or damaging behavior (for example, unexpected accelerations, stopped safety interlocks, or incorrect valve positions).
The protocol and session-management flaws (including the ability to exhaust sessions remotely tracked as CVE-2025-58473 and CVE-2025-57882) enable an attacker to interrupt telemetry and operator feedback. By blocking legitimate operator connections, an adversary can create a sustained loss of view that forces local, hands-on intervention or hides the true system state from control staff. In such a condition, operators may be blind to dangerous process deviations or be misled about system health.
T0882: Theft of Operational Information
Weak cryptography and predictable key generation let an attacker passively decrypt traffic and extract sensitive operational data (credentials, ladder programs, configuration files, schedules, sensor logs). Stolen operational information can be used for targeted follow-on attacks, commercial espionage, or to plan destructive actions with greater effectiveness.
Vulnerabilities Spotlight: Protocol Encryption Issues
The protocol implemented by the CLICK Programming Software to interact with the PLC is a proprietary UDP-based protocol. Variants of the same protocol are also used over Bluetooth and the Wi-Fi interface by the Android and iOS applications. The protocol is intended to provide confidentiality, integrity, and partial forward secrecy by using encryption and authentication. Note that this protocol is meant to only authenticate the client, and thus not provide protection against MitM attacks where the attacker is impersonating the server.
We will not describe every protocol detail here; instead, we focus on the connection phase, when the client and the PLC establish the session key that encrypts messages for the current session. The following (simplified) diagram illustrates the protocol’s key-generation scheme:
As the diagram shows, the workstation (left) generates an RSA public–private key pair and shares the public key (K_pub) with the PLC. The PLC generates a session key (Ks) and returns it to the workstation encrypted with K_pub. Once the workstation decrypts Ks, both endpoints use Ks (with AES) to encrypt subsequent communications.
The protocol design itself is reasonable, but the implementation contains several major weaknesses. First, the RSA keys are extremely small (32 bits), making it trivial for an attacker to derive the private key from the public key using standard factorization attacks. Second, the key-generation routine is insecure because it uses only the current timestamp as entropy. An attacker can brute-force that routine and reproduce the same key pair. These flaws are tracked as CVE-2025-59484 and CVE-2025-55069.
Exploiting either weakness, an attacker who passively monitors the network can decrypt an operator’s traffic to the PLC. Because operator credentials are transmitted in subsequent protocol messages, the attacker can exfiltrate those credentials and use them to authenticate to the PLC.
The following screenshot shows our PoC that, given a pcap, extracts the key material and decrypt its content:
With valid credentials, the attacker can then attempt further actions against the device (for example, session exhaustion or direct I/O manipulation), amplifying the impact of the initial cryptographic weaknesses (as described in the Attack Scenario section).
修復
AutomationDirect has addressed these vulnerabilities through security patches for the CLICK Plus firmware, and the CLICK Programming software. A security report has been published by CISA. Asset owners and operators are strongly urged to:
- Update affected Workstations with the newer version of the CLICK Programming software.
- Update affected CLICK Plus devices with the newer version of the CLICK firmware.
- Implement network segmentation to limit exposure of systems.
- Monitor network traffic for the presence of vulnerable assets.
To help organizations promptly identify whether the devices with the vulnerable firmware are present in their environment, asset owners can rely on the advanced capabilities of Nozomi Networks OT/IoT Security Platform. The platform provides deep visibility into network traffic and host activities, enabling effective vulnerability and threat detection across OT networks.
This proactive monitoring empowers security teams to respond to vulnerabilities and attacks swiftly and effectively, minimizing the impact of attacks targeting critical networks. To learn more about Nozomi Networks OT/IoT Security Platform and see it in action, request a demo today
重要なインフラを保護し、業務の完全性を維持するためには、迅速な対応が不可欠である。
