PatchSiren cyber security CVE debrief
CVE-2025-67652 AutomationDirect CVE debrief
CVE-2025-67652 is a medium-severity credential exposure issue in AutomationDirect CLICK Programmable Logic Controller environments. According to CISA’s advisory, an attacker who can access the project file may recover exposed credentials and use them to impersonate users, escalate privileges, or gain unauthorized access to systems and services. AutomationDirect recommends updating CLICK PLUS firmware to V3.90 and applying compensating controls if immediate patching is not possible.
- Vendor
- AutomationDirect
- Product
- CLICK Programmable Logic Controller
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-22
- Original CVE updated
- 2026-01-22
- Advisory published
- 2026-01-22
- Advisory updated
- 2026-01-22
Who should care
OT/ICS teams running AutomationDirect CLICK PLC or CLICK PLUS systems, especially engineers, integrators, and administrators who store, share, or transfer project files. Organizations with shared engineering workstations, backup repositories, or broad access to PLC project files should pay particular attention.
Technical summary
The issue is described as exposed credentials within a project file, with insufficient encryption or secure handling increasing the likelihood of misuse. The supplied CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and advisory language indicate a local-access path centered on project-file access rather than a broad remote exploit. Impact is primarily confidentiality and limited integrity, with potential privilege escalation and unauthorized access.
Defensive priority
Medium, but treat as higher priority if project files are widely accessible, copied between systems, or stored in shared locations. Remediation is straightforward and vendor guidance is available.
Recommended defensive actions
- Update CLICK PLUS firmware to V3.90 using AutomationDirect’s supported software downloads.
- If patching must be delayed, isolate the PLC from external networks and limit communication to trusted internal or air-gapped environments.
- Restrict physical and logical access to authorized personnel only, including access to project files and engineering workstations.
- Use application whitelisting and host-based firewalling to reduce unauthorized software and access attempts.
- Enable logging and monitoring, and review logs for suspicious access to project files or PLC-related systems.
- Maintain secure, tested backups of PLC configurations and monitor ongoing risk from any outdated firmware remaining in service.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-022-02 for AutomationDirect CLICK Programmable Logic Controller and the included vendor remediation guidance. The advisory describes exposed credentials in project files and recommends upgrading CLICK PLUS firmware to V3.90. No KEV listing or ransomware-campaign designation was supplied. Timing is based on the advisory/CVE publication date of 2026-01-22.
Official resources
-
CVE-2025-67652 CVE record
CVE.org
-
CVE-2025-67652 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and CVE entry on 2026-01-22. The advisory provides vendor mitigation guidance and does not indicate KEV inclusion.