Description
A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
Low
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
Affected products
- AutomationDirect / Productivity 1000 P1-540 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 1000 P1-550 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 2000 P2-550 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 2000 P2-622 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 3000 P3-530 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 3000 P3-550E CPU0 – SW V4.2.1.9
- AutomationDirect / Productivity 3000 P3-622 CPU0 – SW V4.2.1.9
- AutomationDirect / Productivity Suite0 – SW V4.2.1.9
References
- VENDOR_ADVISORYhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01
- MISChttps://www.automationdirect.com/support/software-downloads
- MISChttps://support.automationdirect.com/docs/securityconsiderations.pdf
- MISChttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json