CISA Warns CVSS 10.0 Bug Exposes AutomationDirect PLCs
The U.S. Cybersecurity and Infrastructure Security Agency issued an emergency alert on Oct. 26, warning of a critical remote code execution flaw with a CVSS score of 10.0 in AutomationDirect’s Productivity programmable logic controllers. CISA warns CVSS 10 vulnerabilities could allow unauthenticated attackers to take full control of impacted systems, posing significant risks to industrial control environments.
The alert highlights multiple flaws, including CVE-2025-60023 and CVE-2025-59776, which affect communication protocols and system operations. These vulnerabilities open the door to remote exploitation without user interaction, potentially disrupting automated processes. CISA warns CVSS 10 issues like these demand immediate attention from asset owners and operators using affected PLC models.
Twelve distinct CVEs were identified in the alert, including CVE-2025-61977, CVE-2025-58429, and CVE-2025-54253. CISA urges organizations to apply mitigations and review the full advisory to reduce exposure.
Read the complete alert at