CVE-2025-58429
Published: 23 October 2025
Summary
CVE-2025-58429 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Automationdirect (inferred from references). Its CVSS base score is 8.3 (High).
Operationally, ranked in the top 29.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A relative path traversal vulnerability, tracked as CVE-2025-58429 and assigned CWE-23, affects Productivity Suite software version 4.4.1.19. The flaw resides in the ProductivityService PLC simulator component and permits unauthenticated remote interaction that can result in deletion of arbitrary files on the host system. It carries a CVSS 4.0 score of 8.3, reflecting network attack vector, low attack complexity, and high availability impact.
An unauthenticated remote attacker can send specially crafted requests to the exposed simulator service, traverse the file system via relative paths, and delete chosen files without requiring user interaction or credentials. Successful exploitation can therefore disrupt PLC simulation environments and impair the integrity and availability of files on the target machine.
CISA advisory ICSA-25-296-01 and vendor documentation from AutomationDirect recommend applying available software updates from the official download portal and reviewing the security considerations PDF for additional hardening steps such as network segmentation and service exposure controls.
The associated EPSS score rose from a low baseline to a peak of 0.0122, indicating emerging exploitation interest after disclosure that warrants renewed monitoring.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-35737
Vulnerability details
A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary files on the target machine.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.