Description
A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery question.
CVSS breakdown
CVSS 4.0
Attack Vector
Local
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- AutomationDirect / Productivity 1000 P1-540 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 1000 P1-550 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 2000 P2-550 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 2000 P2-622 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 3000 P3-530 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 3000 P3-550E CPU0 – SW V4.2.1.9
- AutomationDirect / Productivity 3000 P3-622 CPU0 – SW V4.2.1.9
- AutomationDirect / Productivity Suite0 – SW V4.2.1.9
References
- VENDOR_ADVISORYhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01
- MISChttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json
- MISChttps://www.automationdirect.com/support/software-downloads
- MISChttps://support.automationdirect.com/docs/securityconsiderations.pdf