CVE-2025-54855 is a medium-severity vulnerability identified in the firmware of AutomationDirect's CLICK PLUS C0-0x CPU, specifically within the Click Programming Software version 3.60. The core issue is the cleartext storage of sensitive information, notably credentials, within the system's file storage. This vulnerability arises from improper handling of sensitive data, classified under CWE-312 (Cleartext Storage of Sensitive Information). An attacker with local access to the file system and an active administrator session can exploit this flaw to retrieve credentials stored in clear text. The vulnerability requires a local attacker with high privileges (administrator) and partial user interaction, as indicated by the CVSS vector (AV:L/AC:L/AT:P/PR:H/UI:P). The impact on confidentiality is high since credentials can be stolen, but there is no direct impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been released yet. The vulnerability affects the firmware version 0 of the CLICK PLUS C0-0x CPU, which is used in industrial automation environments. Given the nature of the affected product—industrial control system (ICS) hardware—the risk extends to operational technology (OT) environments where unauthorized access to credentials could lead to further compromise or disruption of industrial processes.

For European organizations, especially those operating in manufacturing, utilities, and critical infrastructure sectors that utilize AutomationDirect's CLICK PLUS C0-0x CPU devices, this vulnerability poses a tangible risk. The theft of credentials stored in cleartext could enable lateral movement within OT networks or unauthorized reconfiguration of industrial controllers, potentially leading to operational disruptions or safety hazards. Since the vulnerability requires local access with administrator privileges, the threat is more significant in environments where physical or network access controls are weak or where insider threats exist. The exposure of credentials could also facilitate subsequent attacks, such as privilege escalation or sabotage. Given Europe's strong emphasis on industrial cybersecurity and regulatory frameworks like NIS2, exploitation of this vulnerability could lead to compliance issues and reputational damage. The absence of patches increases the window of exposure, making timely mitigation critical.

1. Restrict physical and network access to systems running CLICK PLUS C0-0x CPU firmware to trusted personnel only, enforcing strict access control policies. 2. Monitor and audit administrator sessions actively to detect any unauthorized access or suspicious activity. 3. Employ host-based intrusion detection systems (HIDS) to alert on unauthorized file system access or attempts to read sensitive files. 4. Implement network segmentation to isolate industrial control systems from general IT networks, limiting the attack surface. 5. Use multi-factor authentication (MFA) for administrative access where possible to reduce the risk of credential compromise. 6. Regularly back up configuration and credential data securely to enable recovery in case of compromise. 7. Engage with AutomationDirect for firmware updates or patches and apply them promptly once available. 8. Educate staff on the risks of credential exposure and enforce strong password management practices. 9. Consider deploying endpoint protection solutions tailored for OT environments that can detect anomalous behavior related to credential theft.