CVE-2021-32982
📋 TL;DR
Automation Direct CLICK PLC CPU modules with vulnerable firmware transmit passwords in plaintext during unlocking and project transfers. This allows attackers with network visibility to capture credentials and potentially gain unauthorized access to industrial control systems. Organizations using C0-1x CPUs with firmware before v3.00 are affected.
💻 Affected Systems
- Automation Direct CLICK PLC C0-1x CPU modules
📦 What is this software?
C0 10are D Firmware by Automationdirect
C0 10dd1e D Firmware by Automationdirect
C0 10dd2e D Firmware by Automationdirect
C0 10dre D Firmware by Automationdirect
C0 11are D Firmware by Automationdirect
C0 11dd1e D Firmware by Automationdirect
C0 11dd2e D Firmware by Automationdirect
C0 11dre D Firmware by Automationdirect
C0 12are 1 D Firmware by Automationdirect
C0 12are 2 D Firmware by Automationdirect
C0 12are D Firmware by Automationdirect
C0 12dd1e 1 D Firmware by Automationdirect
C0 12dd1e 2 D Firmware by Automationdirect
C0 12dd1e D Firmware by Automationdirect
C0 12dd2e 1 D Firmware by Automationdirect
C0 12dd2e 2 D Firmware by Automationdirect
C0 12dd2e D Firmware by Automationdirect
C0 12dre 1 D Firmware by Automationdirect
C0 12dre 2 D Firmware by Automationdirect
C0 12dre D Firmware by Automationdirect
⚠️ Risk & Real-World Impact
Worst Case
Attacker captures administrative passwords, gains full control of PLCs, modifies industrial processes, causes physical damage, or disrupts critical operations.
Likely Case
Attacker captures passwords through network sniffing, gains unauthorized access to PLC programming and configuration, potentially altering logic or stealing intellectual property.
If Mitigated
With network segmentation and monitoring, attackers may capture passwords but cannot reach PLCs to use them, limiting impact to credential exposure.
🎯 Exploit Status
Exploitation requires network access to observe password transmission. No authentication bypass needed to capture credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.00
Vendor Advisory: https://www.automationdirect.com/support/security-advisories
Restart Required: Yes
Instructions:
1. Download firmware v3.00 from Automation Direct website. 2. Connect to PLC via programming software. 3. Backup current project. 4. Upload new firmware. 5. Restart PLC. 6. Verify firmware version.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLCs on separate VLANs with strict firewall rules to prevent unauthorized network access.
Encrypted VPN Tunnel
allUse VPN for all PLC communications to encrypt password transmission.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PLCs from untrusted networks
- Use out-of-band management networks for PLC programming and maintenance
🔍 How to Verify
Check if Vulnerable:
Check firmware version in CLICK Programming Software under CPU Status. If version is below 3.00, system is vulnerable.Check Version:
Use CLICK Programming Software: Connect to PLC → View CPU Status → Check Firmware VersionVerify Fix Applied:
Confirm firmware version shows 3.00 or higher in CLICK Programming Software CPU Status.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts after password changes
- Unusual project upload/download activity
Network Indicators:
- Plaintext password strings in network captures of PLC communications
- Unauthorized connections to PLC programming ports
SIEM Query:
source="network_traffic" AND (dest_port=20256 OR dest_port=44818) AND content="password"