CVE-2025-58069 | THREATINT

Description

The use of a hard-coded cryptographic key was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software contains a hard-coded AES key used to protect the initial messages of a new KOPS session.

PUBLISHED Reserved 2025-09-16 | Published 2025-09-23 | Updated 2025-09-24 | Assigner icscert

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-321 Use of Hard-coded Cryptographic Key

Product status

Default status

unaffected

Any version before v3.71

affected

Default status

unaffected

Any version before v3.71

affected

Default status

unaffected

Any version before v3.71

affected

Credits

Luca Borzacchiello and Diego Zaffaroni of Nozomi Networks reported these vulnerabilities to Automation Direct. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-266-01

www.automationdirect.com/support/software-downloads

cve.org (CVE-2025-58069)

nvd.nist.gov (CVE-2025-58069)

Download JSON

help @ threatint.eu