Authorization Bypass in Click Plus C2-03CPU2 Device Firmware by AutomationDirect
CVE-2025-55038

7.6HIGH

Key Information:

Vendor: Automationdirect
Status: Click Plus C0-0x Cpu Firmware; Click Plus C0-1x Cpu Firmware; Click Plus C2-x Cpu Firmware
Vendor: CVE Published:; 23 September 2025

🔔 Create Automationdirect Vulnerability Alert

What is CVE-2025-55038?

An authorization bypass vulnerability exists in the firmware of the Click Plus C2-03CPU2 device, specifically version 3.60. The KOPR protocol used by the Remote PLC application allows authenticated users with minimal access rights to exploit this flaw, enabling them to read and modify PLC variables beyond their authorized permissions. This poses significant risks to operational integrity and security, necessitating immediate action for affected users.

Affected Version(s)

CLICK PLUS C0-0x CPU firmware 0

CLICK PLUS C0-1x CPU firmware 0

CLICK PLUS C2-x CPU firmware 0

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-2...

https://www.automationdirect.com/support/software-downloads

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Sep 16, 2025

Credit

Luca Borzacchiello and Diego Zaffaroni of Nozomi Networks reported these vulnerabilities to Automation Direct.

JSON