PatchSiren cyber security CVE debrief
CVE-2025-54855 AutomationDirect CVE debrief
CVE-2025-54855 is a medium-severity credential exposure issue in AutomationDirect CLICK PLUS. CISA’s advisory states that Click Programming Software v3.60 can store sensitive information in clear text, allowing a local user with file-system access to steal credentials while an administrator session is active. AutomationDirect recommends updating CLICK PLUS and related firmware to V3.80.
- Vendor
- AutomationDirect
- Product
- CLICK PLUS C0-0x CPU firmware
- CVSS
- MEDIUM 4.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-23
- Original CVE updated
- 2025-09-23
- Advisory published
- 2025-09-23
- Advisory updated
- 2025-09-23
Who should care
AutomationDirect CLICK PLUS operators, OT/ICS administrators, and Windows endpoint owners who manage or run Click Programming Software v3.60 should treat this as a credential-protection issue. It is especially relevant where local users, shared engineering workstations, or broad file-system access exist.
Technical summary
The advisory describes cleartext storage of sensitive information in Click Programming Software version v3.60. The stated attack path requires a local user with access to the file system and an active administrator session, at which point stored credentials may be read in clear text. The provided CVSS v3.1 vector is AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N, matching a local, high-privilege, confidentiality-impacting issue.
Defensive priority
Medium priority. The issue is not listed as KEV, but it does expose credentials and can be abused by a local user with file-system access. Remediation is straightforward and vendor guidance is available, so upgrading should be scheduled promptly rather than deferred.
Recommended defensive actions
- Update CLICK PLUS and firmware to V3.80 as recommended by AutomationDirect.
- If you cannot patch immediately, isolate the CLICK PLUS PLC from external networks.
- Use trusted, dedicated internal networks or air-gapped systems for device communication.
- Restrict physical and logical access to authorized personnel only.
- Apply application whitelisting so only trusted software can run on engineering hosts.
- Use endpoint protection and host-based firewalls to reduce unauthorized access.
- Enable and review logs for suspicious or unauthorized activity.
- Maintain secure, tested backups of PLC configurations and related assets.
Evidence notes
All core claims are taken from the CISA CSAF advisory for ICSA-25-266-01 and its embedded notes: the issue is cleartext storage of sensitive information in Click Programming Software v3.60, exploitable by a local user with file-system access while an administrator session is active, with vendor remediation to V3.80. The published and modified dates in the supplied timeline are both 2025-09-23T06:00:00.000Z. No KEV entry was supplied.
Official resources
-
CVE-2025-54855 CVE record
CVE.org
-
CVE-2025-54855 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2025-09-23 as ICSA-25-266-01; the supplied advisory revision history shows Initial Publication on the same date.