Description
A binding to an unrestricted IP address vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and read, write, or delete arbitrary files and folders on the target machine
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
Low
Availability (Subsequent System)
Low
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected products
- AutomationDirect / Productivity 1000 P1-540 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 1000 P1-550 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 2000 P2-550 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 2000 P2-622 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 3000 P3-530 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 3000 P3-550E CPU0 – SW V4.2.1.9
- AutomationDirect / Productivity 3000 P3-622 CPU0 – SW V4.2.1.9
- AutomationDirect / Productivity Suite0 – SW V4.2.1.9
References
- VENDOR_ADVISORYhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01
- MISChttps://www.automationdirect.com/support/software-downloads
- MISChttps://support.automationdirect.com/docs/securityconsiderations.pdf
- MISChttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json