Nozomi uncovers multiple vulnerabilities in CLICK Plus PLCs, affecting wireless protocols, workstation software

Security researchers at Nozomi Networks Labs identified seven vulnerabilities in CLICK Plus devices and promptly notified AutomationDirect, supplying technical details to enable reproduction and remediation. The analysis focused on the CLICK Plus family of PLCs, particularly the C2-03CPU-2 model, which features Wi-Fi and Bluetooth interfaces. The C2-03CPU-2 was selected because its wireless capabilities make it representative of field-deployed units accessed from workstations and mobile devices.

“The devices communicate with workstations using a proprietary, UDP-based protocol, and a slightly modified variant of that same protocol runs over Bluetooth and the wireless interface used by mobile applications,” Nozomi researchers detailed in a recent blog post. “That protocol was a major focus of our work: we examined its connection and key-exchange phases, message formats, and the mechanisms intended to ensure confidentiality, integrity, and session management, looking specifically for implementation choices that could undermine otherwise sound designs.”

In addition to the network protocol, Nozomi’s scope included the software ecosystem used to program and manage CLICK Plus devices, specifically the CLICK Programming Software (the workstation client) and the Android and iOS mobile applications.

AutomationDirect’s CLICK Plus PLCs are deployed in various industrial and commercial settings: from factory-floor machinery and building-automation systems to remote process-control installations and even recreational systems such as amusement-park ride controllers. The device is a compact programmable logic controller that supports ladder-logic programming, I/O expansion, and multiple communication interfaces, including Ethernet, Wi-Fi, and Bluetooth, enabling integration with local control networks and remote/mobile applications.

The researchers detailed that the described attack chain requires the attacker to access the network on which the PLC operates and to monitor packets exchanged within it. “Standard operational controls should normally prevent such access, but attackers can still obtain a foothold in several ways: by gaining physical access to network ports, exploiting an exposed remote-maintenance interface, compromising a workstation or industrial gateway connected to the PLC network, or abusing weak network segmentation and misconfigured VPNs. Any of these footholds could allow an attacker to start the attack chain and enable destructive behavior.”

“The attacker first positions themselves. Once such access is established, the attacker positions themselves on the network and passively monitors traffic, waiting for an operator (or a machine) to connect to the PLC,” the Nozomi researchers noted. “As soon as the attacker detects a login to the device, they begin inspecting the exchanged traffic.” 

The CLICK Plus PLC uses a proprietary UDP-based protocol to communicate with other devices over the network. “Although this protocol is designed to provide encryption and authentication, implementation flaws allow the attacker to decrypt the traffic and recover operator credentials. With these credentials, the attacker can successfully authenticate to the PLC.”

Nozomi researchers observed that the attacker aims to disrupt factory operations by altering the normal behavior of the conveyor belt, but before doing so, they seek to avoid interruption and blind HMIs and monitoring interfaces. “Thus, the attacker exploits two additional protocol flaws that allow them to saturate available sessions (issues tracked as CVE-2025-58473 and CVE-2025-57882). Although CLICK Plus devices can also be monitored via Bluetooth, CVE-2025-57882 enables the attacker to saturate those sessions over the network without requiring physical proximity.”

With operator access effectively blocked, Nozomi pointed out that the attacker can operate undisturbed and read/overwrite any I/O values exposed by the controller. This capability may be possible even with lower-privilege credentials because of the issue tracked as CVE-2025-55038. “By manipulating the controller’s I/O values, the attacker can finally alter belt speeds, override or disable safety interlocks, and falsify sensor readings. These actions can destroy product batches, halt production, and create immediate physical danger for operators working at or near the line.”

The vulnerabilities identified in CLICK Plus devices correspond to several impacts in the MITRE ATT&CK for ICS framework. Protocol weaknesses allow attackers to recover keys, exfiltrate credentials, and read or overwrite I/O values. An authenticated adversary could change setpoints, flip outputs, or issue unauthorized control actions, potentially causing unsafe or damaging behavior in equipment such as conveyors, pumps, or amusement-park ride controllers.

Also, protocol and session management flaws enable attackers to disrupt telemetry and operator feedback. By blocking legitimate connections, an adversary can create a sustained loss of view, forcing manual intervention or concealing the true system state, leaving operators unaware of dangerous process deviations. 

Lastly, weak cryptography and predictable key generation let an attacker passively decrypt traffic and extract sensitive operational data (credentials, ladder programs, configuration files, schedules, sensor logs). Stolen operational information can be used for targeted follow-on attacks, commercial espionage, or to plan destructive actions with greater effectiveness.

AutomationDirect has addressed these vulnerabilities through security patches for the CLICK Plus firmware and the CLICK Programming software. CISA published a security report. Asset owners and operators are urged to update affected workstations with the newer version of the CLICK Programming software; update affected CLICK Plus devices with the newer version of the CLICK firmware, implement network segmentation to limit exposure of systems, and monitor network traffic for the presence of vulnerable assets. 

To help organizations identify whether devices with vulnerable firmware are present in their environment, asset owners can rely on the advanced capabilities of Nozomi Networks OT/IoT Security Platform. The platform provides deep visibility into network traffic and host activities, enabling effective vulnerability and threat detection across OT networks.  Such proactive monitoring empowers security teams to respond to vulnerabilities and attacks effectively, minimizing the impact of attacks targeting critical networks. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.