CVE-2025-60023 - Vulnerability Details

A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Automationdirect	P1-540 P1-550 P2-550 P2-622 P3-530 P3-550e P3-622 Productivity Suite

No data.

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json
https://support.automationdirect.com/docs/securityconsiderations.pdf
https://www.automationdirect.com/support/software-downloads
https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01

History

Fri, 24 Oct 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Oct 2025 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Automationdirect Automationdirect p1-540 Automationdirect p1-550 Automationdirect p2-550 Automationdirect p2-622 Automationdirect p3-530 Automationdirect p3-550e Automationdirect p3-622 Automationdirect productivity Suite
Vendors & Products		Automationdirect Automationdirect p1-540 Automationdirect p1-550 Automationdirect p2-550 Automationdirect p2-622 Automationdirect p3-530 Automationdirect p3-550e Automationdirect p3-622 Automationdirect productivity Suite

Thu, 23 Oct 2025 22:45:00 +0000

Type	Values Removed	Values Added
Description		A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine.
Title		AutomationDirect Productivity Suite Relative Path Traversal
Weaknesses		CWE-23
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json https://support.automationdirect.com/docs/securityconsiderations.pdf https://www.automationdirect.com/support/software-downloads https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01
Metrics		cvssV3_1 `{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2025-10-23T22:21:05.084Z

Updated: 2025-10-24T14:27:12.716Z

Reserved: 2025-10-21T21:55:11.899Z

Link: CVE-2025-60023

Vulnrichment

Updated: 2025-10-24T14:27:09.393Z

NVD

Status : Awaiting Analysis

Published: 2025-10-23T23:15:37.530

Modified: 2025-10-27T13:20:15.637

Link: CVE-2025-60023

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object