CVE-2025-55038 HIGH

CVE-2025-55038: AutomationDirect CLICK PLUS Missing Authorization

Vendor Automationdirect
Product CLICK PLUS C0-0x CPU firmware
Weakness CWE-862 · Missing authorization
Published September 23, 2025
Last update September 24, 2025

CVSS base score

7.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authorization bypass vulnerability has been discovered in the Click Plus C2-03CPU2 device firmware version 3.60. Through the KOPR protocol utilized by the Remote PLC application, authenticated users with low-level access permissions can exploit this vulnerability to read and modify PLC variables beyond their intended authorization level.

Key dates

02Disclosure timeline

September 23, 2025 CVE published
September 24, 2025 Record updated