CVE-2022-2003

Name: CVE-2022-2003
Creator: NVD / NIST
Published: 2022-08-31T16:15:10.393+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.1/10EPSS 0.60%

Last modified Jun 17, 2026

CVE-2022-2003 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. EPSS estimates a 0.60% chance of exploitation in the next 30 days.

Description

AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect DirectLOGIC D0-06 series CPUs D0-06DD1 versions prior to 2.72; D0-06DD2 versions prior to 2.72; D0-06DR versions prior to 2.72; D0-06DA versions prior to 2.72; D0-06AR versions prior to 2.72; D0-06AA versions prior to 2.72; D0-06DD1-D versions prior to 2.72; D0-06DD2-D versions prior to 2.72; D0-06DR-D versions prior to 2.72;

Metrics

CVSS 3.1

9.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Probability

0.60%

44.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-319

Affected Software

Vendor	Product	Versions
Automationdirect	D0-06dd1 Firmware	< 2.72
Automationdirect	D0-06dd2 Firmware	< 2.72
Automationdirect	D0-06dr Firmware	< 2.72
Automationdirect	D0-06da Firmware	< 2.72
Automationdirect	D0-06ar Firmware	< 2.72
Automationdirect	D0-06aa Firmware	< 2.72
Automationdirect	D0-06dd1-D Firmware	< 2.72
Automationdirect	D0-06dd2-D Firmware	< 2.72
Automationdirect	D0-06dr-D Firmware	< 2.72

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-02Patch, Third Party Advisory, US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-03Patch, Third Party Advisory, US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-02Patch, Third Party Advisory, US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-03Patch, Third Party Advisory, US Government Resource

Timeline

Published: Aug 31, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-2003?

How severe is CVE-2022-2003?

CVE-2022-2003 has a CVSS score of 9.1/10 (CRITICAL severity). The EPSS model estimates a 0.60% probability of exploitation in the next 30 days.

How do I fix CVE-2022-2003?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-2003?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST