Home

Description

An authorization bypass vulnerability has been discovered in the Click Plus C2-03CPU2 device firmware version 3.60. Through the KOPR protocol utilized by the Remote PLC application, authenticated users with low-level access permissions can exploit this vulnerability to read and modify PLC variables beyond their intended authorization level.

PUBLISHED Reserved 2025-09-16 | Published 2025-09-23 | Updated 2025-09-24 | Assigner icscert




HIGH: 7.6CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

MEDIUM: 6.8CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version before v3.71
affected

Default status
unaffected

Any version before v3.71
affected

Default status
unaffected

Any version before v3.71
affected

Credits

Luca Borzacchiello and Diego Zaffaroni of Nozomi Networks reported these vulnerabilities to Automation Direct. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-266-01

www.automationdirect.com/support/software-downloads

cve.org (CVE-2025-55038)

nvd.nist.gov (CVE-2025-55038)

Download JSON