CVE-2025-61934

CRITICAL

Productivity Suite <v4.4.1.19 - SSRF

Title source: llm

Description

A binding to an unrestricted IP address vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and read, write, or delete arbitrary files and folders on the target machine

References (4)

Core 4

Core References

Various Sources

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json

View Writeup ZIP pw:eip

Various Sources

https://support.automationdirect.com/docs/securityconsiderations.pdf

Various Sources

https://www.automationdirect.com/support/software-downloads

Third Party Advisory, US Government Resource

https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01

Scores

CVSS v3 10.0

EPSS 0.0034

EPSS Percentile 56.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-1327

Status published

Products (8)

AutomationDirect/Productivity 1000 P1-540 CPU < SW v4.4.1.19

AutomationDirect/Productivity 1000 P1-550 CPU < SW v4.4.1.19

AutomationDirect/Productivity 2000 P2-550 CPU < SW v4.4.1.19

AutomationDirect/Productivity 2000 P2-622 CPU < SW v4.4.1.19

AutomationDirect/Productivity 3000 P3-530 CPU < SW v4.4.1.19

AutomationDirect/Productivity 3000 P3-550E CPU < SW V4.2.1.9

AutomationDirect/Productivity 3000 P3-622 CPU < SW V4.2.1.9

AutomationDirect/Productivity Suite < SW V4.2.1.9

Published Oct 23, 2025

Tracked Since Feb 18, 2026