A relative path traversal vulnerability was discovered in Productivity Suite software version

4.4.1.19.


The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine.
Advisories

No advisories yet.

Fixes

Solution

AutomationDirect recommends that users do the following: * Update the Productivity Suite programming software to version 4.5.0.x or higher. * Update the firmware of Productivity PLCs to the latest version. https://www.automationdirect.com/support/software-downloads * Although automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems. * It is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems. * AutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application.


Workaround

AutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version: * Physically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems. * Configure network segmentation to isolate the PLC from other devices and systems within the organization. * Implement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC. * Please refer to AutomationDirect's security considerations https://support.automationdirect.com/docs/securityconsiderations.pdf  for additional information. * If you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance.

History

Fri, 24 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 24 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Automationdirect
Automationdirect p1-540
Automationdirect p1-550
Automationdirect p2-550
Automationdirect p2-622
Automationdirect p3-530
Automationdirect p3-550e
Automationdirect p3-622
Automationdirect productivity Suite
Vendors & Products Automationdirect
Automationdirect p1-540
Automationdirect p1-550
Automationdirect p2-550
Automationdirect p2-622
Automationdirect p3-530
Automationdirect p3-550e
Automationdirect p3-622
Automationdirect productivity Suite

Thu, 23 Oct 2025 22:15:00 +0000

Type Values Removed Values Added
Description A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine.
Title AutomationDirect Productivity Suite Relative Path Traversal
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-10-24T14:28:56.329Z

Reserved: 2025-10-21T21:55:11.872Z

Link: CVE-2025-58078

cve-icon Vulnrichment

Updated: 2025-10-24T14:28:53.025Z

cve-icon NVD

Status : Received

Published: 2025-10-23T22:15:41.263

Modified: 2025-10-23T22:15:41.263

Link: CVE-2025-58078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-10-24T10:16:35Z