CVE-2025-58069 identifies a security vulnerability in the firmware version 3.60 of the AutomationDirect CLICK PLUS C0-0x CPU programmable logic controller (PLC). The core issue is the presence of a hard-coded AES cryptographic key embedded within the firmware. This key is used to protect the initial messages exchanged during the establishment of a new KOPS (Key-Operated Protection System) session. The use of a hard-coded key violates cryptographic best practices, as it allows attackers who discover or extract the key to decrypt or forge these initial messages, potentially bypassing authentication or session establishment controls. Since the vulnerability is in the firmware of a PLC, which is a critical component in industrial control systems (ICS), exploitation could lead to unauthorized access or manipulation of industrial processes. The CVSS 4.0 score of 6.9 (medium severity) reflects that the vulnerability is remotely exploitable without authentication or user interaction, with low impact on confidentiality and no impact on integrity or availability as per the vector metrics. No known exploits are currently reported in the wild, and no patches have been released yet. The vulnerability is classified under CWE-321, which covers the use of hard-coded cryptographic keys, a common weakness that undermines cryptographic protections by making keys predictable or extractable. This flaw could be leveraged by attackers to intercept or manipulate communications during the initial KOPS session setup, potentially enabling further attacks on the PLC or the industrial network it controls.

For European organizations, especially those operating in manufacturing, utilities, or critical infrastructure sectors that rely on AutomationDirect CLICK PLUS PLCs, this vulnerability poses a tangible risk. Exploitation could allow attackers to intercept or manipulate control commands or data exchanges during session initiation, potentially leading to unauthorized control or disruption of industrial processes. While the immediate impact on confidentiality, integrity, and availability is rated low to medium, the broader operational consequences could be significant if attackers leverage this vulnerability as a foothold for more extensive attacks. Given the increasing digitization and interconnectivity of industrial environments in Europe, such vulnerabilities can undermine operational reliability and safety. Additionally, regulatory frameworks like the NIS Directive and the EU Cybersecurity Act emphasize the protection of critical infrastructure, making exploitation of such vulnerabilities a compliance concern. The lack of patches increases the urgency for risk mitigation to prevent potential exploitation, especially in environments where firmware updates are challenging or infrequent.

1. Network Segmentation: Isolate PLCs and other ICS devices from general IT networks and restrict access to trusted management stations only. 2. Monitoring and Anomaly Detection: Implement network monitoring solutions tailored for ICS environments to detect unusual traffic patterns or unauthorized attempts to initiate KOPS sessions. 3. Firmware Integrity Checks: Regularly verify firmware integrity using cryptographic hashes to detect unauthorized modifications. 4. Vendor Engagement: Engage with AutomationDirect to obtain timelines for firmware patches or mitigations and request guidance on secure configuration. 5. Access Controls: Enforce strict access controls and authentication mechanisms on devices and management interfaces to reduce the attack surface. 6. Incident Response Planning: Prepare ICS-specific incident response plans that include procedures for handling cryptographic key compromise scenarios. 7. Physical Security: Ensure physical security of PLC devices to prevent direct firmware extraction or tampering. 8. Alternative Cryptographic Measures: Where possible, implement additional encryption or VPN tunnels at the network level to protect communications beyond the vulnerable firmware layer. These steps go beyond generic advice by focusing on compensating controls and operational practices tailored to the ICS context and the specific nature of the vulnerability.