PatchSiren cyber security CVE debrief
CVE-2025-62688 AutomationDirect CVE debrief
CISA published advisory ICSA-25-296-01 on 2025-10-23 for CVE-2025-62688 in AutomationDirect Productivity Suite. The issue is an incorrect permission assignment in version 4.4.1.19 that can allow a low-privileged attacker to change their role and gain full control access to the project. AutomationDirect’s published remediation is to update Productivity Suite to 4.5.0.x or higher, and to apply OT network hardening and isolation measures when upgrading is not immediately possible.
- Vendor
- AutomationDirect
- Product
- Productivity Suite
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-10-23
- Original CVE updated
- 2025-10-23
- Advisory published
- 2025-10-23
- Advisory updated
- 2025-10-23
Who should care
Organizations running AutomationDirect Productivity Suite 4.4.1.19, especially engineering teams, OT/ICS administrators, and defenders responsible for Productivity PLC environments. Sites using related Productivity PLC, HMI, or SCADA deployments should also review segmentation and access controls because the advisory includes those product families in its mitigation scope.
Technical summary
The advisory describes an authorization flaw: an incorrect permission assignment for a critical resource in Productivity Suite 4.4.1.19. A low-privileged user may be able to change roles and obtain full control over the project, which maps to privilege escalation and high-integrity impact. The supplied CVSS v3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H (7.1).
Defensive priority
High. Prioritize if Productivity Suite 4.4.1.19 is deployed, because the flaw can let a low-privileged account obtain project-level control and materially affect OT engineering workflows.
Recommended defensive actions
- Upgrade AutomationDirect Productivity Suite to version 4.5.0.x or higher.
- Update Productivity PLC firmware to the latest vendor-available version using AutomationDirect’s software download portal.
- Restrict or remove unnecessary access to engineering workstations and project files, especially accounts with low privilege that do not need role-management rights.
- Segment PLC and related OT systems from broader corporate and internet-connected networks.
- If upgrading is not possible, physically disconnect the PLC from external networks where operationally feasible.
- Apply firewall rules or NAC policies to block unnecessary inbound and outbound traffic to the PLC and related OT hosts.
- Review vendor security considerations and perform a network security analysis to validate the required protection level for the environment.
Evidence notes
All substantive facts in this debrief come from the CISA CSAF advisory source item for ICSA-25-296-01 and its listed references. The source was initially published and modified on 2025-10-23, and the advisory text specifically names Productivity Suite 4.4.1.19, the low-privilege role-change condition, and the vendor’s remediation to 4.5.0.x or higher.
Official resources
-
CVE-2025-62688 CVE record
CVE.org
-
CVE-2025-62688 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA advisory ICSA-25-296-01 was initially published on 2025-10-23. The supplied corpus does not indicate KEV listing for CVE-2025-62688.