CVE-2021-32986
📋 TL;DR
This vulnerability in Automation Direct CLICK PLC CPU Modules allows unauthorized programming access after an authorized session is interrupted. The PLC remains unlocked indefinitely until power-cycled, enabling attackers to modify industrial control logic without authentication. This affects organizations using these PLCs in operational technology environments.
💻 Affected Systems
- Automation Direct CLICK PLC CPU Modules: C0-1x CPUs
📦 What is this software?
C0 10are D Firmware by Automationdirect
C0 10dd1e D Firmware by Automationdirect
C0 10dd2e D Firmware by Automationdirect
C0 10dre D Firmware by Automationdirect
C0 11are D Firmware by Automationdirect
C0 11dd1e D Firmware by Automationdirect
C0 11dd2e D Firmware by Automationdirect
C0 11dre D Firmware by Automationdirect
C0 12are 1 D Firmware by Automationdirect
C0 12are 2 D Firmware by Automationdirect
C0 12are D Firmware by Automationdirect
C0 12dd1e 1 D Firmware by Automationdirect
C0 12dd1e 2 D Firmware by Automationdirect
C0 12dd1e D Firmware by Automationdirect
C0 12dd2e 1 D Firmware by Automationdirect
C0 12dd2e 2 D Firmware by Automationdirect
C0 12dd2e D Firmware by Automationdirect
C0 12dre 1 D Firmware by Automationdirect
C0 12dre 2 D Firmware by Automationdirect
C0 12dre D Firmware by Automationdirect
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain persistent unauthorized access to modify PLC programming, potentially causing physical damage, production shutdowns, or safety incidents in industrial environments.
Likely Case
Unauthorized personnel or malware could modify PLC logic to disrupt operations, cause equipment damage, or create safety hazards without detection.
If Mitigated
With proper network segmentation and monitoring, impact is limited to unauthorized programming changes within isolated control networks.
🎯 Exploit Status
Exploitation requires initial authorized access followed by interruption of programming session. No public exploit code known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware v3.00 or later
Vendor Advisory: https://www.automationdirect.com/support/security-advisories
Restart Required: Yes
Instructions:
1. Download firmware v3.00+ from Automation Direct website. 2. Backup current PLC program. 3. Connect programming software. 4. Upload new firmware. 5. Restart PLC. 6. Restore program.
🔧 Temporary Workarounds
Power cycle after programming sessions
allManually power cycle PLC after every programming session to force re-lock
Network segmentation
allIsolate PLC programming network from general IT network
🧯 If You Can't Patch
- Implement strict physical access controls to PLC programming ports
- Monitor for unauthorized programming connections and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check firmware version in programming software: If version is below 3.00, system is vulnerable.Check Version:
Use CLICK Programming Software to read PLC firmware versionVerify Fix Applied:
After updating to v3.00+, test by interrupting programming session and attempting unauthorized connection.📡 Detection & Monitoring
Log Indicators:
- Multiple programming connections from unauthorized IPs
- Programming sessions without proper authentication logs
Network Indicators:
- Unexpected programming protocol traffic (C-More/Ethernet)
- Programming connections from unauthorized network segments
SIEM Query:
source="plc_logs" AND (event_type="programming_session" AND auth_status="failed") OR (event_type="programming_session" AND src_ip NOT IN allowed_ips)