CVE-2025-58069
📋 TL;DR
CVE-2025-58069 is a hard-coded cryptographic key vulnerability in Click Plus PLC firmware version 3.60. This allows attackers to decrypt initial session messages and potentially compromise PLC communications. Organizations using affected Click Plus PLCs in industrial control systems are impacted.
💻 Affected Systems
- Click Plus PLC
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of PLC communications leading to unauthorized control of industrial processes, production disruption, or safety system manipulation.
Likely Case
Session interception and decryption allowing attackers to monitor or manipulate initial PLC communications.
If Mitigated
Limited impact if network segmentation and monitoring prevent access to PLC communications.
🎯 Exploit Status
Requires network access to intercept KOPS session traffic and knowledge of the hard-coded AES key.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for updated firmware
Vendor Advisory: https://www.automationdirect.com/support/software-downloads
Restart Required: No
Instructions:
1. Check vendor advisory for updated firmware. 2. Download and install updated firmware from vendor site. 3. Verify firmware version after update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLCs from untrusted networks and implement strict firewall rules.
Session Monitoring
allMonitor network traffic for unusual KOPS session initiation patterns.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PLCs from potential attackers.
- Deploy network monitoring and intrusion detection specifically for industrial control traffic.
🔍 How to Verify
Check if Vulnerable:
Check PLC firmware version via vendor management interface; version 3.60 is vulnerable.Check Version:
Use vendor-specific PLC management tools to check firmware version.Verify Fix Applied:
Verify firmware version after update shows a version higher than 3.60.📡 Detection & Monitoring
Log Indicators:
- Unusual KOPS session initiation patterns
- Multiple failed session attempts
Network Indicators:
- Unusual traffic to PLC ports
- Suspicious session initiation patterns
SIEM Query:
Search for network traffic to PLC ports with unusual patterns or from unauthorized sources.