CVE-2026-60140 PUBLISHED

AutomationDirect Productivity Suite Out-of-bounds Read

Assigner: icscert
Reserved: 09.07.2026 Published: 16.07.2026 Updated: 17.07.2026

An out-of-bounds read vulnerability in the Productivity Suite allows a local attacker to trigger kernel memory corruption by sending a crafted IOCTL request. This can lead to exposing sensitive information or causing the affected product to become unstable or unavailable.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor AutomationDirect
Product Productivity Suite
Versions Default: unaffected
  • affected from 0 to v4.6.2.2 (incl.)
  • Version v4.7.0.47 is unaffected

Workarounds

If the update cannot be applied right away, the following compensating controls are recommended until the upgrade can be performed.

  • Disconnect the engineering workstation from external networks (e.g., the internet or corporate LAN) to reduce exposure.
  • Use only trusted, dedicated internal networks or air-gapped systems for device communication.
  • Restrict both physical and logical access to authorized personnel only.
  • Configure whitelisting so that only trusted, pre-approved applications are allowed to run. Block any unauthorized software.
  • Use antivirus or EDR tools and configure host-based firewalls to block unauthorized access attempts.
  • Enable and regularly review system logs to detect suspicious or unauthorized activity.
  • Maintain secure, tested backups of the PLC and its configurations to minimize downtime in case of an incident.
  • Continuously evaluate risks associated with running outdated firmware and adjust compensating measures accordingly.

Solutions

AutomationDirect recommends that users update Productivity suite to v4.7.0.47 and above  https://www.automationdirect.com/support/software-downloads

Credits

  • Luca Borzacchiello of Nozomi Networks reported this vulnerability to CISA. finder

References

Problem Types

  • CWE-125 CWE