Critical Vulnerabilities Discovered in AutomationDirect CLICK Plus PLCs, Enabling Potential Factory Disruption

A new security analysis has revealed seven vulnerabilities within AutomationDirect’s CLICK Plus programmable logic controllers (PLCs), potentially allowing attackers to disrupt industrial operations, steal sensitive data, and even create physical danger for personnel. Security researchers at Nozomi Networks Labs promptly alerted AutomationDirect to the issues, providing detailed technical information to facilitate remediation.

The analysis centered on the CLICK Plus family, specifically the C2-03CPU-2 model, chosen for its representative wireless capabilities – Wi-Fi and Bluetooth – commonly used for access from workstations and mobile devices. These vulnerabilities pose a significant risk to the wide range of industries deploying these PLCs, from manufacturing and building automation to remote process control and even amusement park ride systems.

According to the Nozomi researchers, the CLICK Plus devices utilize a proprietary, UDP-based protocol for communication with workstations, with a modified version also running over Bluetooth and wireless interfaces used by mobile applications. “That protocol was a major focus of our work: we examined its connection and key-exchange phases, message formats, and the mechanisms intended to ensure confidentiality, integrity, and session management, looking specifically for implementation choices that could undermine otherwise sound designs,” the researchers stated.

The scope of the investigation extended beyond the network protocol to include the CLICK Programming Software (the workstation client) and the Android and iOS mobile applications used to program and manage the devices.

Attack Chain and Potential Impacts

The researchers detailed a multi-stage attack chain requiring an attacker to gain access to the network where the PLC operates and passively monitor network traffic. While standard security controls should prevent such access, attackers could exploit several entry points, including physical access to network ports, compromised remote-maintenance interfaces, vulnerable workstations or industrial gateways, or poorly configured network segmentation and VPNs.

Once positioned on the network, the attacker waits for an operator or machine to connect to the PLC, then inspects the exchanged traffic. The proprietary UDP-based protocol, despite being designed with encryption and authentication, contains implementation flaws that allow attackers to decrypt traffic and steal operator credentials, granting them unauthorized access.

The potential consequences are severe. Researchers simulated an attack targeting a factory conveyor belt, demonstrating how an adversary could disrupt operations. However, before initiating destructive actions, the attacker first aims to blind Human-Machine Interfaces (HMIs) and monitoring systems. This is achieved by exploiting protocol flaws – specifically CVE-2025-58473 and CVE-2025-57882 – to saturate available sessions, effectively blocking legitimate connections. CVE-2025-57882 allows for session saturation over the network, even without physical proximity via Bluetooth.

With operator access blocked, the attacker can then read and overwrite Input/Output (I/O) values, potentially even with limited privileges (CVE-2025-55038). This manipulation could alter belt speeds, disable safety interlocks, and falsify sensor readings, leading to damaged products, halted production, and physical harm to personnel.

Alignment with MITRE ATT&CK for ICS

The identified vulnerabilities align with several impacts outlined in the MITRE ATT&CK for ICS framework. Attackers can leverage protocol weaknesses to recover encryption keys, exfiltrate credentials, and manipulate I/O values. This could lead to unauthorized control actions, potentially causing unsafe or damaging behavior in critical equipment like conveyors, pumps, and amusement park rides.

Furthermore, the protocol and session management flaws enable disruption of telemetry and operator feedback, creating a “loss of view” that forces manual intervention or conceals dangerous process deviations. Weak cryptography and predictable key generation allow attackers to passively decrypt traffic and extract sensitive operational data, including credentials, ladder programs, and configuration files, for future attacks or espionage.

Remediation and Ongoing Monitoring

AutomationDirect has released security patches for both the CLICK Plus firmware and the CLICK Programming Software to address these vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has also published a security advisory. Asset owners and operators are strongly urged to update affected workstations with the latest version of the CLICK Programming Software and update affected CLICK Plus devices with the newer firmware. Implementing robust network segmentation and continuous network traffic monitoring are also crucial steps to limit exposure and detect malicious activity.

To aid in identifying vulnerable devices, asset owners can utilize the advanced capabilities of the Nozomi Networks OT/IoT Security Platform, which provides deep visibility into network traffic and host activities, enabling effective vulnerability and threat detection across operational technology (OT) networks. Proactive monitoring is essential for security teams to respond effectively to vulnerabilities and attacks, minimizing the impact on critical infrastructure.