CVE-2021-32980
📋 TL;DR
This vulnerability in Automation Direct CLICK PLC CPU Modules allows attackers to establish unauthorized programming connections to the PLC even when legitimate connections are already active. This affects C0-1x CPUs with firmware versions prior to v3.00, potentially enabling malicious actors to manipulate industrial control systems.
💻 Affected Systems
- Automation Direct CLICK PLC CPU Modules C0-1x CPUs
📦 What is this software?
C0 10are D Firmware by Automationdirect
C0 10dd1e D Firmware by Automationdirect
C0 10dd2e D Firmware by Automationdirect
C0 10dre D Firmware by Automationdirect
C0 11are D Firmware by Automationdirect
C0 11dd1e D Firmware by Automationdirect
C0 11dd2e D Firmware by Automationdirect
C0 11dre D Firmware by Automationdirect
C0 12are 1 D Firmware by Automationdirect
C0 12are 2 D Firmware by Automationdirect
C0 12are D Firmware by Automationdirect
C0 12dd1e 1 D Firmware by Automationdirect
C0 12dd1e 2 D Firmware by Automationdirect
C0 12dd1e D Firmware by Automationdirect
C0 12dd2e 1 D Firmware by Automationdirect
C0 12dd2e 2 D Firmware by Automationdirect
C0 12dd2e D Firmware by Automationdirect
C0 12dre 1 D Firmware by Automationdirect
C0 12dre 2 D Firmware by Automationdirect
C0 12dre D Firmware by Automationdirect
⚠️ Risk & Real-World Impact
Worst Case
Complete takeover of industrial control processes, allowing attackers to modify PLC logic, disrupt operations, cause physical damage, or create safety hazards in industrial environments.
Likely Case
Unauthorized access to PLC programming interface enabling logic modification, operational disruption, or data manipulation in industrial control systems.
If Mitigated
Limited impact with proper network segmentation and access controls, though the vulnerability still exists at the device level.
🎯 Exploit Status
The vulnerability allows connection without authentication when another connection exists, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.00
Vendor Advisory: https://www.automationdirect.com/support/security-advisories
Restart Required: Yes
Instructions:
1. Download firmware v3.00 from Automation Direct website. 2. Connect to PLC via programming software. 3. Upload new firmware. 4. Restart PLC to apply changes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLCs on separate network segments with strict firewall rules to limit access.
Access Control Lists
allImplement network ACLs to restrict which IP addresses can connect to PLC programming ports.
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to isolate PLCs from untrusted networks.
- Deploy intrusion detection systems to monitor for unauthorized connection attempts to PLC programming ports.
🔍 How to Verify
Check if Vulnerable:
Check PLC firmware version via programming software. If version is below v3.00, the device is vulnerable.Check Version:
Use Automation Direct programming software to read PLC firmware version from device properties.Verify Fix Applied:
Confirm firmware version is v3.00 or higher using programming software interface.📡 Detection & Monitoring
Log Indicators:
- Multiple simultaneous connection attempts to PLC programming port
- Unauthorized IP addresses connecting to PLC
Network Indicators:
- Unexpected traffic on PLC programming ports (typically 502/TCP for Modbus)
- Connection attempts from unauthorized network segments
SIEM Query:
source_ip NOT IN (authorized_ips) AND dest_port=502 AND protocol=TCP