CVE-2025-54855 is a medium-severity vulnerability identified in the AutomationDirect CLICK PLUS C0-0x CPU firmware, specifically affecting the Click Programming Software version 3.60. The core issue is the cleartext storage of sensitive information, notably credentials, within the firmware environment. This vulnerability falls under CWE-312, which concerns the insecure storage of sensitive data without encryption or adequate protection. Exploitation requires a local attacker who has access to the file system while an administrator session is active. The attacker can then retrieve credentials stored in clear text, potentially enabling unauthorized access or lateral movement within the affected system. The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) indicates that exploitation requires local access with high privileges, partial authentication, and user interaction, but results in high confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild, and no patches have been published yet. This vulnerability is particularly relevant to industrial control systems (ICS) environments where AutomationDirect's CLICK PLUS CPUs are deployed for automation tasks.

For European organizations, especially those operating in industrial automation, manufacturing, and critical infrastructure sectors, this vulnerability poses a risk of credential theft leading to unauthorized access to control systems. The cleartext storage of credentials can facilitate insider threats or attackers who gain local access, potentially allowing them to manipulate automation processes, disrupt operations, or exfiltrate sensitive operational data. While the vulnerability does not directly impact system availability or integrity, stolen credentials can be leveraged for further attacks, including privilege escalation or lateral movement within industrial networks. Given the critical nature of automation systems in European manufacturing hubs and critical infrastructure, exploitation could lead to operational disruptions and safety risks. The requirement for local access and administrator session presence limits remote exploitation but does not eliminate risk from insiders or attackers who have breached perimeter defenses.

To mitigate this vulnerability, European organizations should implement strict access controls to limit local file system access to trusted personnel only, especially during active administrator sessions. Employing endpoint security solutions that monitor and restrict unauthorized file access can help detect and prevent credential theft attempts. Organizations should also enforce the principle of least privilege, ensuring that users operate with the minimum necessary rights to reduce the risk of credential exposure. Regularly auditing and monitoring administrator sessions can help identify suspicious activities early. Since no patches are currently available, organizations should consider isolating affected devices within segmented networks to limit lateral movement if credentials are compromised. Additionally, adopting multi-factor authentication (MFA) for accessing automation systems can reduce the impact of stolen credentials. Finally, organizations should engage with AutomationDirect for updates and apply firmware patches promptly once released.