CVE-2025-55038 is an authorization bypass vulnerability identified in the firmware version 3.60 of the AutomationDirect CLICK PLUS C0-0x CPU series, specifically affecting the Click Plus C2-03CPU2 device. The vulnerability arises from improper enforcement of authorization controls within the KOPR protocol, which is used by the Remote PLC application to communicate with the programmable logic controller (PLC). Authenticated users with low-level access permissions can exploit this flaw to read and modify PLC variables that should be restricted, effectively elevating their privileges beyond intended limits. This vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to properly verify whether a user is authorized to perform certain actions. The CVSS v4.0 base score is 7.6 (high severity), reflecting the network attack vector (AV:N), high attack complexity (AC:H), no privileges required beyond low-level access (PR:L), no user interaction (UI:N), and high impact on confidentiality and integrity (VC:H, VI:H), with no impact on availability. The scope remains unchanged (S:U). No known exploits are currently reported in the wild, and no patches have been released yet. This vulnerability could allow an attacker with limited access to manipulate industrial control processes by altering PLC variables, potentially leading to unsafe operational states or data leakage within industrial environments.

For European organizations, particularly those operating in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability poses a significant risk. Exploitation could lead to unauthorized manipulation of industrial processes, causing operational disruptions, safety hazards, and potential physical damage to equipment. Confidentiality breaches could expose sensitive operational data, intellectual property, or process parameters. The ability to modify PLC variables without proper authorization undermines the integrity of control systems, potentially leading to incorrect process execution or unsafe conditions. Given the widespread use of AutomationDirect CLICK PLUS PLCs in European manufacturing and automation sectors, exploitation could impact production lines, utilities, and infrastructure management. Additionally, the high attack complexity somewhat limits exploitation to skilled attackers with network access and some level of authentication, but the lack of required user interaction facilitates remote exploitation once initial access is obtained. The absence of patches increases the urgency for organizations to implement compensating controls to mitigate risk.

1. Implement strict network segmentation to isolate PLC devices and the Remote PLC application from general IT networks and untrusted sources. 2. Enforce strong access controls and multi-factor authentication for all users accessing the Remote PLC application to reduce the risk of unauthorized low-level access. 3. Monitor and log all access to PLC devices, focusing on anomalous read/write operations to detect potential exploitation attempts. 4. Restrict the use of the KOPR protocol to trusted hosts and networks only, using firewall rules and network access control lists. 5. Employ intrusion detection/prevention systems tailored for industrial control systems to identify suspicious activities targeting PLCs. 6. Coordinate with AutomationDirect for timely firmware updates and patches; until patches are available, consider temporary operational restrictions or compensating controls. 7. Conduct regular security assessments and penetration testing focused on industrial control systems to identify and remediate similar authorization weaknesses. 8. Train operational technology (OT) personnel on the risks of privilege escalation and the importance of adhering to security policies.