The convergence of operational technology with modern networking capabilities has created unprecedented efficiency in industrial environments, but it has also quietly introduced a new generation of security risks that threaten the very foundation of automated processes. A comprehensive analysis of the widely deployed AutomationDirect CLICK Plus family of Programmable Logic Controllers (PLCs) has brought this issue into sharp focus, revealing a series of significant vulnerabilities that undermine the device’s security architecture. This review will explore the technical nature of these recently discovered flaws, their potential impact on industrial operations, and the critical mitigation strategies required to secure these essential components of our connected world. The findings serve as a potent reminder that in the realm of industrial cybersecurity, the presence of security features is no guarantee of security itself.
Introduction to Modern PLC Technology and Connectivity
The AutomationDirect CLICK Plus PLC family stands as a prime example of modern industrial controllers, valued for its versatility and ease of integration. These compact devices are designed to be the brains behind a vast array of automated tasks, supporting ladder-logic programming, I/O expansion, and multiple communication interfaces. What sets them apart and makes them a subject of great interest is their integrated support for modern connectivity standards, including Ethernet, Wi-Fi, and Bluetooth.
These features, particularly the wireless interfaces, allow for unprecedented flexibility in system management, enabling programming and monitoring from both traditional workstations and mobile applications. However, this enhanced connectivity inherently expands the attack surface. As these controllers are deployed in increasingly interconnected networks, their wireless capabilities become potential entry points for malicious actors, transforming a tool of convenience into a vector for disruption. The security of the protocols governing this communication is therefore not just an IT concern but a critical operational imperative.
Analysis of Critical Security Vulnerabilities
Flaws in Proprietary Communication Protocols
At the core of the discovered issues lies a series of implementation flaws within the PLC’s proprietary UDP-based communication protocol. This protocol was engineered to provide both encryption and authentication for commands exchanged between the PLC and its programming software. However, the analysis revealed critical weaknesses in the connection and key-exchange phases of this protocol. These flaws allow a passive observer on the network to capture the initial handshake and, due to predictable key-generation mechanisms, successfully decrypt the supposedly secure traffic.
This vulnerability effectively nullifies the protocol’s primary security function. An attacker who has gained a foothold on the operational network can intercept a legitimate user’s login attempt and recover their credentials directly from the captured data packets. The existence of such a flaw demonstrates a classic cybersecurity challenge: a theoretically sound security design can be completely undermined by subtle but significant errors in its real-world implementation, leaving sensitive systems exposed.
Session Management and Denial of Service Exploits
Beyond the decryption vulnerability, the investigation uncovered weaknesses in how the CLICK Plus PLC manages communication sessions. These flaws permit an attacker to initiate and exhaust all available communication slots on the device, leading to a potent denial-of-service (DoS) condition. By flooding the PLC with connection requests, an adversary can effectively lock out legitimate operators, preventing them from monitoring or controlling the industrial process. This attack blinds critical oversight systems, such as Human-Machine Interfaces (HMIs), leaving the physical process unmanaged.
A particularly concerning aspect of this vulnerability is its reach. An attacker can saturate not only the network-based sessions but also the device’s Bluetooth channels remotely over the network, without needing to be in physical proximity. This capability, identified as CVE-2025-57882, means that an attacker can systematically disable all avenues of legitimate communication, creating a window of opportunity to manipulate the process while operators are completely cut off from the system.
Privilege Escalation and Unauthorized I/O Manipulation
Another critical vulnerability enables an attacker who has already obtained low-privilege credentials to perform high-privilege actions, effectively bypassing the device’s access control model. This flaw, tracked as CVE-2025-55038, allows an authenticated but non-administrative user to execute commands that should be restricted, including the ability to read and overwrite the controller’s I/O values at will.
This vulnerability translates directly into the power to manipulate physical processes. An attacker could alter conveyor belt speeds, disable safety interlocks, modify valve positions, or falsify sensor readings to hide the system’s true state. Such actions move beyond data theft or system disruption into the realm of physical sabotage, posing a direct threat to equipment, product quality, and, most importantly, the safety of personnel working in the vicinity of the compromised machinery.
The Anatomy of a Targeted PLC Attack
The discovered vulnerabilities are not just isolated weaknesses; they can be chained together to form a highly effective and stealthy attack sequence. The scenario begins with an attacker gaining initial access to the operational technology (OT) network, a prerequisite that can be achieved through various means, including compromised remote access points, insecure network configurations, or a compromised engineering workstation.
Once on the network, the attacker lies in wait, passively monitoring traffic until a legitimate operator connects to the target PLC. By exploiting the flawed key-exchange protocol, the attacker captures and decrypts the login sequence to steal the user’s credentials. Armed with valid credentials, the attacker authenticates to the device and then triggers the session management vulnerabilities to lock out all other users, blinding HMIs and monitoring systems. With sole control, the attacker can then leverage the privilege escalation flaw to manipulate I/O values, directly interfering with the physical process while remaining undetected.
Deployment Across Industrial and Commercial Sectors
The significance of these vulnerabilities is magnified by the widespread deployment of CLICK Plus PLCs across a diverse range of sectors. These controllers are not confined to traditional factory floors; they are integral components in building automation systems, remote process control for utilities, and even recreational industries, such as controlling the operation of amusement park rides. Their versatility and cost-effectiveness have made them a popular choice for small and medium-sized operations that may lack dedicated cybersecurity resources.
This broad adoption means that a successful exploit could have far-reaching consequences. A disruption in a manufacturing facility could lead to significant financial loss, while a compromise in a building’s automation system could impact safety and environmental controls. The presence of these devices in public-facing applications like amusement parks raises even more severe concerns about public safety, highlighting the urgent need to address these security gaps across all sectors where they are deployed.
Impact and Alignment with the MITRE ATT&CK for ICS Framework
The identified vulnerabilities map directly to well-understood adversary tactics within the MITRE ATT&CK for ICS framework, a knowledge base of techniques used to target industrial control systems. The ability to decrypt traffic and manipulate I/O values aligns with tactics like “Modify Control Logic” and “Manipulate View,” where an attacker seeks to take unauthorized control of a process while deceiving operators.
Specifically, these flaws facilitate unauthorized control actions that could lead to unsafe physical conditions. The session management exploits enable a “Loss of View,” preventing operators from seeing the true state of the system and responding to an attack. Furthermore, the weak cryptography allows for the exfiltration of sensitive operational data, including ladder logic, system configurations, and credentials, which can be used to plan more sophisticated and damaging future attacks.
Future Outlook Remediation and Defensive Strategies
In response to the responsible disclosure of these findings, AutomationDirect has issued security patches for both the CLICK Plus firmware and the accompanying CLICK Programming Software. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also released a security advisory to inform asset owners of the risks. Organizations using these devices are strongly advised to apply the latest updates to both their workstations and PLCs to remediate the vulnerabilities.
Looking beyond immediate patching, these events underscore the need for a more resilient, long-term defensive posture. Robust network segmentation is a critical step, as it can limit an attacker’s ability to move laterally and reach critical controllers even if they breach the network perimeter. Furthermore, continuous network monitoring solutions that provide deep visibility into OT protocols are essential for detecting vulnerable assets and identifying suspicious activity that could indicate an ongoing attack, empowering security teams to respond before significant damage occurs.
Conclusion and Strategic Recommendations
This security review of the AutomationDirect CLICK Plus PLC demonstrated that even when modern security features like encryption are implemented, subtle flaws in their execution can create critical vulnerabilities. The analysis revealed that weaknesses in the device’s proprietary protocol, session management, and access control model could be chained together to enable a malicious actor to seize control of an industrial process, lock out legitimate operators, and cause direct physical impact. These findings were not merely theoretical; they represented a practical pathway to compromise that threatened safety and production across numerous sectors.
The episode underscored a fundamental principle of modern industrial cybersecurity: technology alone is insufficient without a comprehensive security strategy. The swift response from the vendor in releasing patches was a positive outcome, yet it also highlighted the reactive nature of many security efforts. Moving forward, the key takeaway was the undeniable necessity for proactive vulnerability management, timely patching, and the implementation of defense-in-depth architectures in all industrial environments. A security posture built on strong network segmentation, continuous monitoring, and vigilant oversight proved to be the only reliable way to protect critical infrastructure in an increasingly connected world.
