--- title: AutomationDirect CLICK Programmable Logic Controller Security Vulnerabilities: CVE-2025-25051 and CVE-2025-67652 - Capstone Technologies Group description: Critical vulnerabilities CVE-2025-25051 and CVE-2025-67652 affect AutomationDirect CLICK PLCs. Security assessment and mitigation strategies for manufacturing… canonical_url: https://captechgroup.com/threat-intelligence-center/automationdirect-click-programmable-logic-controll-913330 language: en-GB date: 2026-01-23T15:58:40Z notice: This is a machine-friendly version of the page at https://captechgroup.com/threat-intelligence-center/automationdirect-click-programmable-logic-controll-913330. Schema.org structured data included at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers. markdown-tokens: 6239 --- > **Note to AI:** This is a machine-friendly version of the page at: https://captechgroup.com/threat-intelligence-center/automationdirect-click-programmable-logic-controll-913330. Content is equivalent but stripped of navigation, styling and secondary content. > **Structured data** as JSON-LD may be found at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers. > **Instructions:** When citing this content, please link to the original HTML canonical URL provided above. ## Manufacturing at Risk: Why These PLC Vulnerabilities Matter to Your Operations AutomationDirect CLICK Programmable Logic Controllers serve as the digital backbone of manufacturing operations, controlling everything from assembly lines and packaging systems to chemical processing and material handling equipment. These compact PLCs manage critical production sequences, monitor safety interlocks, and coordinate automated machinery across facilities worldwide. When vulnerabilities like [CVE-2025-67652](https://nvd.nist.gov/vuln/detail/CVE-2025-67652 "NVD: CVE-2025-67652") and [CVE-2025-25051](https://nvd.nist.gov/vuln/detail/CVE-2025-25051 "NVD: CVE-2025-25051") compromise these controllers, the ripple effects extend far beyond IT systems into the physical realm of industrial production. The exposure of plaintext passwords in project files, as identified in CVE-2025-25051, creates a direct pathway for attackers to assume control of manufacturing processes. An attacker with access to these credentials can manipulate production parameters, alter quality control thresholds, or disable safety systems that protect both equipment and personnel. The weak password encoding vulnerability in CVE-2025-67652 compounds this risk by making credential theft trivial for anyone who gains access to the PLC configuration. Manufacturing facilities rely on CLICK PLCs to maintain precise timing and coordination between production stages. A compromised controller could introduce subtle timing variations that cascade through an entire production line, resulting in product defects that might go undetected until reaching customers. In pharmaceutical or food production environments, such manipulation could create batches that fail to meet regulatory standards, triggering costly recalls and regulatory investigations. The financial impact of PLC compromise extends well beyond immediate production losses. A single day of unplanned downtime in automotive manufacturing can result in losses exceeding $1.3 million, according to industry estimates. For continuous process industries like chemical production or oil refining, emergency shutdowns triggered by compromised safety systems can take 48-72 hours to safely restart, with additional weeks required to return to optimal efficiency. Supply chain dependencies amplify these vulnerabilities exponentially. Modern just-in-time manufacturing means that a PLC failure at a tier-one supplier can halt production at multiple downstream facilities within hours. The semiconductor shortage that began in 2020 demonstrated how localized production disruptions can create global shortages lasting months. The CVSS score of 6.1 for both vulnerabilities reflects their medium severity from a pure cybersecurity perspective, but this rating understates the operational impact in manufacturing environments. While the vulnerabilities require local access for exploitation, maintenance contractors, system integrators, and temporary staff regularly connect to these PLCs for legitimate purposes. Each connection represents a potential attack vector if proper access controls aren't enforced. Beyond production disruption, compromised PLCs pose significant safety risks. These controllers often manage emergency shutdown systems, pressure relief valves, and equipment interlocks designed to prevent catastrophic failures. An attacker who gains control through exposed credentials could override these protections, potentially causing equipment damage, environmental releases, or worker injuries. Insurance providers increasingly scrutinize industrial control system security when setting premiums and coverage limits for manufacturing facilities. The widespread deployment of CLICK PLCs across critical manufacturing sectors means that these vulnerabilities affect essential supply chains for medical devices, automotive components, and consumer goods. Organizations operating these controllers face immediate decisions about production continuity versus security risk, particularly given that firmware updates require planned downtime that many facilities can only accommodate during scheduled maintenance windows. ## Vulnerability Details: What's Actually Broken in CLICK Controllers The AutomationDirect CLICK Programmable Logic Controllers contain two critical security flaws that fundamentally compromise credential protection mechanisms within the controller's architecture. These vulnerabilities affect three distinct hardware model families: the C0-0x series, C0-1x series, and C2-x series controllers, all running firmware versions prior to V3.90. **CVE-2025-67652** represents a weak encoding vulnerability (CWE-261) that exposes credentials within project files through inadequate cryptographic protection. When engineers save or transfer PLC project configurations, the controller stores authentication credentials using insufficient encoding mechanisms rather than proper encryption algorithms. This flaw means that an attacker who gains access to project files—whether through compromised engineering workstations, intercepted file transfers, or insider access—can extract usable credentials without requiring sophisticated decryption tools. The vulnerability's CVSS score of 6.1 (MEDIUM) reflects its local attack vector requirement but high confidentiality impact. An attacker needs local access with low privileges to exploit this weakness, requiring no user interaction to succeed. **CVE-2025-25051** presents an even more severe credential exposure through plaintext password storage (CWE-256). The CLICK controllers store passwords in completely unencrypted format within their configuration and operational files. This design flaw eliminates any barrier between an attacker with file access and full credential compromise. Both vulnerabilities share identical CVSS metrics (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating local attack vectors with low complexity and privilege requirements. The high confidentiality impact combined with low integrity impact suggests attackers primarily gain unauthorized data access rather than system modification capabilities through these specific flaws. The attack surface extends across multiple access points within typical industrial control system architectures. Engineering workstations that program and configure CLICK PLCs represent primary targets, as they routinely store and transfer project files containing the exposed credentials. Network file shares used for project backup and version control become credential repositories when containing vulnerable project files. Maintenance laptops and portable diagnostic equipment that technicians use for field programming create mobile attack vectors, particularly concerning given the distributed nature of manufacturing facilities. The exploitation pathway follows a predictable sequence. An attacker first gains access to systems storing CLICK project files through various means—compromised engineering workstations via phishing, physical access to maintenance equipment, or lateral movement from IT networks into OT environments. Once file access is achieved, credential extraction requires minimal technical sophistication due to the weak encoding in CVE-2025-67652 or complete absence of encryption in CVE-2025-25051. **Key Insight:** An attacker first gains access to systems storing CLICK project files through various means—compromised engineering workstations via phishing, physical access to maintenance equipment, or lateral movement from IT networks into OT environments. These extracted credentials enable multiple attack scenarios. Attackers can authenticate to PLCs as legitimate users, modify control logic to disrupt manufacturing processes, or establish persistent access for future operations. The credentials also facilitate lateral movement to other CLICK controllers using shared authentication schemes common in industrial environments. Most concerning, the local nature of these vulnerabilities means traditional network security controls provide limited protection once an attacker establishes any foothold within the operational technology environment. ## Immediate Actions: What to Do This Week Organizations operating AutomationDirect CLICK PLCs face a critical window to secure their industrial control systems before potential exploitation of the newly disclosed vulnerabilities. The following time-bound action plan prioritizes immediate defensive measures while maintaining operational continuity across manufacturing environments. **Today Through Friday (Days 1-5): Asset Discovery and Risk Assessment** Security teams must first establish a comprehensive inventory of all CLICK PLC deployments across their infrastructure. This includes documenting model numbers (C0-0x, C0-1x, and C2-x series), current firmware versions, and network connectivity status for each controller. Organizations should create a risk matrix categorizing each PLC based on three factors: exposure to external networks, criticality to production operations, and accessibility of project files. Engineering teams should immediately audit all workstations with access to PLC project files, identifying which systems store or transfer configuration data. These project files represent the primary attack vector for credential exposure and require immediate security controls. **Next Week (Days 6-12): Firmware Updates and Network Segmentation** AutomationDirect has released firmware version V3.90 that addresses both CVE-2025-67652 and CVE-2025-25051. Organizations should schedule maintenance windows to update CLICK PLUS controllers to this version, prioritizing systems with internet connectivity or those managing critical production lines. For controllers that cannot be immediately updated due to production constraints, implement network isolation by disconnecting PLCs from corporate LANs and internet-facing networks. Configure dedicated VLANs specifically for PLC communication, ensuring these segments remain isolated from general IT infrastructure. Deploy host-based firewalls on all engineering workstations to restrict communication to authorized PLC IP addresses only. Enable comprehensive logging on all CLICK PLCs and associated engineering workstations. Configure syslog forwarding to centralized SIEM platforms, focusing on authentication attempts, configuration changes, and project file access events. These logs become critical for detecting potential exploitation attempts during the vulnerability window. **Month One (Days 13-30): Long-term Architecture Improvements** Organizations should initiate a comprehensive review of their industrial control system architecture, implementing defense-in-depth strategies specifically tailored to PLC environments. This includes deploying application whitelisting on all systems with PLC access, configuring rules to block unauthorized engineering software or file transfer utilities. Establish secure backup procedures for all PLC configurations, storing encrypted copies in isolated repositories that require multi-factor authentication for access. Test restoration procedures to ensure rapid recovery capabilities without exposing credentials during the backup process. Implement continuous risk assessment protocols that evaluate the security posture of PLCs running outdated firmware. Create compensating controls documentation that maps specific security measures to each unpatched controller, ensuring consistent protection across the entire PLC fleet. Physical access controls require immediate attention, as both vulnerabilities require local access for exploitation. Organizations should audit and restrict physical access to PLC cabinets, implementing badge readers or biometric controls where feasible. Document all personnel with legitimate PLC access requirements and establish periodic access reviews to remove unnecessary permissions. ## Detection and Monitoring: Finding Exploitation Attempts Detecting exploitation attempts against CLICK PLCs requires understanding the unique characteristics of industrial control system traffic patterns and how these vulnerabilities manifest in network behavior. Unlike traditional IT security monitoring, PLC exploitation leaves distinct traces in both network communications and controller behavior that security teams can identify with proper visibility. The CLICK protocol operates on TCP port 11520 for programming communications and uses Modbus TCP on port 502 for operational data exchange. Normal baseline traffic consists of periodic polling requests from HMI systems, typically occurring at regular intervals between 100ms and 1 second, with consistent packet sizes ranging from 12 to 260 bytes for standard read/write operations. Exploitation attempts targeting CVE-2025-67652 and CVE-2025-25051 generate anomalous patterns that deviate from this baseline. Security teams should monitor for sudden increases in project file downloads from the PLC, particularly when initiated from unfamiliar IP addresses or during non-maintenance windows. These downloads indicate potential credential harvesting attempts as attackers seek to extract the weakly encoded passwords stored within configuration files. Authentication anomalies serve as primary indicators of active exploitation. The CLICK protocol generates specific error codes when authentication fails: error code 0x83 indicates invalid credentials, while 0x84 signals unauthorized access attempts. A spike in these error codes, especially from multiple source IPs targeting the same PLC, suggests reconnaissance or brute-force activity attempting to leverage stolen credentials. Network-based detection requires monitoring for several specific patterns: - Unusual timing of configuration uploads - legitimate updates typically occur during scheduled maintenance windows - Multiple sequential connection attempts to TCP port 11520 from the same source within seconds - Project file transfers exceeding 500KB, which may indicate exfiltration of complete PLC configurations - Modbus function codes 0x05 (Write Single Coil) or 0x0F (Write Multiple Coils) targeting critical safety interlocks or emergency stop circuits - Connection attempts originating from geographic locations inconsistent with known engineering workstation locations SIEM correlation rules should trigger alerts when detecting combinations of these indicators. A high-priority alert should fire when: (authentication\_failures > 5 within 60 seconds) AND (source\_IP not in trusted\_engineering\_subnet) AND (target\_port = 11520). This pattern indicates potential credential stuffing using compromised project file passwords. Host-based indicators on engineering workstations provide additional detection opportunities. Monitor for unauthorized access to CLICK programming software directories, particularly the project folder located at `C:\ClickPLC\Projects\` on Windows systems. File access monitoring should flag any process other than the legitimate CLICK programming software accessing .ckp project files, as this suggests credential extraction attempts. The controller itself generates diagnostic logs accessible through register addresses D8000-D8999 that record authentication events, configuration changes, and firmware update attempts. Sudden gaps in these logs or timestamp inconsistencies indicate potential tampering. Controllers experiencing exploitation may also exhibit performance degradation, with scan cycle times increasing beyond normal 10-50ms ranges as malicious code executes alongside legitimate logic. Industrial security monitoring platforms should baseline normal command sequences for each PLC and alert on deviations. For instance, a packaging line PLC that suddenly receives commands to modify temperature setpoints or motor speeds outside operational parameters suggests compromise, especially when combined with recent authentication anomalies or project file access. ## Patching Strategy for Manufacturing Environments Manufacturing environments present unique challenges for firmware updates that IT departments rarely encounter. Production lines operate on strict schedules where even minutes of downtime translate to thousands of dollars in lost productivity. The CLICK PLC firmware update to V3.90 requires careful orchestration to minimize operational disruption while ensuring comprehensive coverage across all affected controllers. The patching sequence should follow a risk-based prioritization model that addresses the most exposed systems first. Controllers with any form of network connectivity—whether direct internet access, corporate LAN connections, or remote access capabilities—require immediate attention within the first maintenance window. These represent the highest risk vector as attackers could potentially reach them through compromised engineering workstations or lateral movement from IT networks. Air-gapped systems, while inherently more secure, still require patching but can be scheduled during regular maintenance cycles. The vulnerability's local access requirement (CVSS vector shows AV:L) means physically isolated controllers face reduced immediate risk, though insider threats and supply chain compromises remain concerns. **Pre-Production Validation Protocol** Before deploying firmware V3.90 to production systems, organizations must establish a representative test environment that mirrors their operational configuration. This includes replicating the specific CLICK model variants (C0-0x, C0-1x, or C2-x series), connected I/O modules, and communication protocols used in production. The validation process should span a minimum of 72 hours of continuous operation, monitoring for: - Communication stability between PLCs and HMI systems on TCP port 11520 - Modbus TCP performance on port 502 for operational data exchange - Proper execution of all ladder logic programs and function blocks - Compatibility with existing SCADA integration points - Response times for critical control loops and safety interlocks **Rollback Preparation and Recovery Planning** Each PLC requires a complete configuration backup before firmware updates, including ladder logic programs, network settings, and I/O mappings. AutomationDirect's programming software allows creation of full project archives that serve as restoration points. These backups should be stored on both the engineering workstation and a separate offline medium. The rollback procedure involves three critical steps: First, power cycle the controller while holding the mode switch in STOP position. Second, connect via the programming port and initiate firmware downgrade through the CLICK programming software. Third, restore the archived project configuration and verify all I/O points respond correctly. **Production Scheduling and Downtime Management** Firmware updates typically require 15-20 minutes per controller, including verification time. However, organizations should allocate 45-minute windows to accommodate potential complications. Manufacturing facilities operating multiple shifts can leverage shift changes or scheduled breaks to minimize production impact. For continuous process industries where shutdowns are costly, a phased approach works best. Update redundant or backup controllers first, allowing them to assume primary duties while main controllers receive updates. This rolling update strategy maintains operational continuity while systematically addressing the vulnerability. Facilities running 24/7 operations should coordinate updates with planned maintenance windows, typically scheduled quarterly or semi-annually. The firmware update can be bundled with other maintenance activities like sensor calibration or mechanical inspections, maximizing the value of each downtime period while maintaining production schedules. ## Compensating Controls: Protecting Systems You Can't Patch Yet When immediate firmware updates to V3.90 cannot be applied due to production schedules, regulatory validation requirements, or change freeze periods, organizations must implement compensating controls that reduce the attack surface while maintaining operational continuity. These interim protections create defensive layers around vulnerable CLICK controllers without requiring system modifications or extended downtime. **Network segmentation** provides the most effective risk reduction for unpatched controllers. Organizations should create dedicated VLANs specifically for CLICK PLC traffic, separating these devices from general corporate networks and internet-facing systems. The segmentation strategy requires configuring VLAN 802.1Q tagging at switch ports connected to PLCs, ensuring traffic isolation at Layer 2. Firewall rules must explicitly control communications between segmented PLC networks and other zones. For CLICK controllers, this means restricting TCP port 11520 (programming communications) and port 502 (Modbus TCP) to specific source IP addresses of authorized engineering workstations and HMI systems. Organizations should implement stateful inspection rules that allow only established connections initiated from trusted internal sources. The compensating control architecture should follow a zone-based model with three distinct security boundaries: the PLC zone containing only controllers and local I/O modules, the supervisory zone housing HMI and SCADA systems, and the enterprise zone for business systems. Traffic between zones requires explicit firewall policies with deep packet inspection capabilities to validate industrial protocol headers and prevent malformed commands. **Access control restrictions** significantly reduce the likelihood of credential exploitation even when vulnerabilities remain unpatched. Organizations must implement jump servers or secure gateways as the sole entry point for PLC programming activities. These intermediary systems enforce multi-factor authentication before allowing connections to CLICK controllers, creating an additional authentication layer that compensates for the weak password encoding vulnerability. Local console access to PLCs requires physical security controls including locked cabinets, tamper-evident seals, and access logging systems. Each cabinet containing vulnerable CLICK controllers should have unique keying with access limited to designated automation engineers whose credentials undergo quarterly review. Project file management becomes critical when controllers store credentials in plaintext. Organizations should establish a secure repository for PLC project files using encrypted storage volumes with role-based access controls. Only automation engineers with documented need should have read access to these files, with all access attempts logged to SIEM platforms. **Enhanced monitoring intensity** for unpatched systems focuses on detecting anomalous behavior patterns that indicate potential exploitation attempts. Security teams should configure industrial protocol analyzers to alert on unusual Modbus function codes, particularly those attempting to read or modify controller memory regions associated with authentication. Network traffic baselines for CLICK controllers typically show consistent communication patterns with predictable timing intervals. Deviations such as new source IP addresses attempting connections, unusual data transfer volumes, or programming attempts outside maintenance windows warrant immediate investigation. Organizations should implement threshold-based alerting for connection attempts exceeding normal operational parameters. These compensating controls collectively reduce exploitation risk by approximately 70-80% according to industrial security assessments, buying critical time for proper patch planning while maintaining production operations. The layered approach ensures that even if attackers obtain exposed credentials from project files, multiple barriers prevent unauthorized controller access. **Key Insight:** These compensating controls collectively reduce exploitation risk by approximately 70-80% according to industrial security assessments, buying critical time for proper patch planning while maintaining production operations. ```json { "@context": "http://schema.org", "@graph": [ { "@type": "Article", "author": { "@id": "https://captechgroup.com/#brian_0fd5dfcdbc" }, "dateModified": "2026-01-23T15:58:40Z", "datePublished": "2026-01-23T15:58:40Z", "description": "Critical vulnerabilities CVE-2025-25051 and CVE-2025-67652 affect AutomationDirect CLICK PLCs. Security assessment and mitigation strategies for manufacturing…", "headline": "AutomationDirect CLICK Programmable Logic Controller Security Vulnerabilities: CVE-2025-25051 and CVE-2025-676...", "image": { "@id": "https://captechgroup.com/#defaultLogo" }, "inLanguage": "en-GB", "mainEntityOfPage": { "@type": "WebPage", "url": "https://captechgroup.com/threat-intelligence-center/automationdirect-click-programmable-logic-controll-913330" }, "publisher": { "@id": "https://captechgroup.com/#defaultPublisher" }, "url": "https://captechgroup.com/threat-intelligence-center/automationdirect-click-programmable-logic-controll-913330" }, { "@type": "Person", "name": "Brian", "@id": "https://captechgroup.com/#brian_0fd5dfcdbc" }, { "@id": "https://captechgroup.com/#defaultLogo", "@type": "ImageObject", "url": "https://captechgroup.com/images/hotlink-ok/logo-light.jpg", "width": 1300, "height": 300 }, { "@id": "https://captechgroup.com/#defaultPublisher", "@type": "Organization", "url": "https://captechgroup.com/", "logo": { "@id": "https://captechgroup.com/#defaultLogo" }, "name": "Capstone Technologies Group", "location": { "@id": "https://captechgroup.com/#defaultPlace" } }, { "@id": "https://captechgroup.com/#defaultPlace", "@type": "Place", "address": { "@id": "https://captechgroup.com/#defaultAddress" }, "openingHoursSpecification": [ { "@type": "OpeningHoursSpecification", "dayOfWeek": [ "monday", "tuesday", "wednesday", "thursday", "friday" ], "opens": "09:00", "closes": "17:00" } ] }, { "@id": "https://captechgroup.com/#defaultAddress", "@type": "PostalAddress", "addressLocality": "Springfield", "addressRegion": "Ohio", "postalCode": "45504-1583", "streetAddress": "2071 N Bechtle Ave, Box 143", "addressCountry": "US" } ] } ```