Description
A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and read arbitrary files on the target machine.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected products
- AutomationDirect / Productivity 1000 P1-540 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 1000 P1-550 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 2000 P2-550 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 2000 P2-622 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 3000 P3-530 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 3000 P3-550E CPU0 – SW V4.2.1.9
- AutomationDirect / Productivity 3000 P3-622 CPU0 – SW V4.2.1.9
- AutomationDirect / Productivity Suite0 – SW V4.2.1.9
References
- VENDOR_ADVISORYhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01
- MISChttps://www.automationdirect.com/support/software-downloads
- MISChttps://support.automationdirect.com/docs/securityconsiderations.pdf
- MISChttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json