CVE-2025-58069 is a medium-severity vulnerability identified in the firmware version 3.60 of the AutomationDirect CLICK PLUS C0-0x CPU programmable logic controller (PLC). The core issue is the presence of a hard-coded AES cryptographic key embedded within the firmware. This key is used to protect the initial messages exchanged during the establishment of a new KOPS (Key Operating System Protocol) session. The use of a hard-coded key violates cryptographic best practices because it is static, predictable, and cannot be changed by the end user, making it a significant security weakness. An attacker who obtains this key can potentially decrypt or forge initial session messages, undermining the confidentiality and integrity of communications between the PLC and its management or control systems. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and no authentication (AT:N), which means exploitation can be performed remotely without any prior access or user involvement. However, the impact is limited to confidentiality (VC:L) with no direct impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been released yet. The vulnerability falls under CWE-321, which concerns the use of hard-coded cryptographic keys, a common and critical cryptographic weakness that can lead to unauthorized access or data exposure in industrial control systems (ICS). Given that PLCs like the CLICK PLUS series are widely used in industrial automation environments, this vulnerability could be leveraged by attackers to intercept or manipulate control commands during session initiation, potentially disrupting industrial processes or causing unsafe conditions if combined with other attack vectors.

For European organizations, especially those operating in critical infrastructure sectors such as manufacturing, energy, water treatment, and transportation, this vulnerability poses a tangible risk. The CLICK PLUS PLCs are commonly deployed in industrial automation settings, and the compromise of session security could allow attackers to eavesdrop on or spoof control messages. Although the vulnerability does not directly allow command injection or denial of service, the exposure of cryptographic keys can facilitate further attacks by undermining trust in the control network communications. This could lead to operational disruptions, safety hazards, or intellectual property theft. European industries that rely heavily on automation and have integrated AutomationDirect PLCs into their control systems are at risk of targeted attacks, especially in environments where network segmentation or additional security controls are weak. The lack of authentication and user interaction requirements for exploitation increases the threat surface, making remote exploitation feasible if the PLCs are exposed to untrusted networks or insufficiently protected internal networks. Additionally, the absence of patches means organizations must rely on compensating controls until a firmware update is available.

1. Network Segmentation: Isolate PLC devices from general IT networks and restrict access to trusted management systems only. Use VLANs and firewalls to limit exposure. 2. Access Control: Implement strict network access controls and monitoring to detect unauthorized scanning or connection attempts to PLC devices. 3. Encryption and VPNs: Use secure VPN tunnels or encrypted communication channels for remote access to industrial control networks to prevent interception of traffic. 4. Firmware Monitoring: Regularly check AutomationDirect’s advisories for firmware updates or patches addressing this vulnerability and plan prompt deployment once available. 5. Intrusion Detection: Deploy specialized ICS/SCADA intrusion detection systems capable of identifying anomalous traffic patterns or attempts to exploit cryptographic weaknesses. 6. Key Management: Where possible, configure systems to use external cryptographic modules or protocols that do not rely on hard-coded keys, or implement compensating cryptographic controls at the network layer. 7. Incident Response Preparedness: Develop and test incident response plans specific to ICS environments to quickly respond to potential exploitation attempts. 8. Vendor Engagement: Engage with AutomationDirect for guidance and timelines on patch releases and request transparency on mitigation strategies.