CVE-2021-32986
high-risk
Published 2022-04-04
After Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, the unlocked state does not timeout. If the programming software is interrupted, the PLC remains unlocked. All subsequent programming connections are allowed without authorization. The PLC is only relocked by a power cycle, or when the programming software disconnects correctly.
Do I need to act?
-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
C0-10Dd1E-D Firmware
C0-10Dd2E-D Firmware
C0-10Dre-D Firmware
C0-10Are-D Firmware
C0-11Dd1E-D Firmware
C0-11Dd2E-D Firmware
C0-11Dre-D Firmware
C0-11Are-D Firmware
C0-12Dd1E-D Firmware
C0-12Dd2E-D Firmware
C0-12Dre-D Firmware
C0-12Are-D Firmware
C0-12Dd1E-1-D Firmware
C0-12Dd2E-1-D Firmware
C0-12Dre-1-D Firmware
C0-12Are-1-D Firmware
C0-12Dd1E-2-D Firmware
C0-12Dd2E-2-D Firmware
C0-12Dre-2-D Firmware
C0-12Are-2-D Firmware
Affected Vendors
References (2)
Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-02
Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-02
53
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
1/34 · Minimal
Exposure
20/34 · Moderate