Back to Intelligence

CVE-2026-60063: AutomationDirect Productivity Suite Critical Flaws — Detection and Patching Guide

SA
Security Arsenal Team
July 16, 2026
5 min read

CISA has released ICSA-26-197-04, detailing critical memory corruption vulnerabilities impacting AutomationDirect Productivity Suite, a widely used engineering workstation software in the Critical Manufacturing sector. The software, essential for programming and configuring PLCs, contains multiple out-of-bounds (OOB) read/write flaws and a divide-by-zero error (CVE-2026-60063, CVE-2026-61389, CVE-2026-60140, CVE-2026-57896, CVE-2026-60073, CVE-2026-61378).

While these vulnerabilities require local or physical access, the risk profile in OT environments is elevated. Engineering workstations often operate with broader privileges and are physically accessible to maintenance staff, contractors, or trusted insiders. Successful exploitation of the OOB write vulnerabilities could result not just in Denial-of-Service (DoS), but potentially arbitrary code execution, allowing an attacker to pivot from the engineering workstation to the industrial control system (ICS) network.

Given the CVSS v3 score of 7.0 (High) and the critical nature of the affected infrastructure, immediate remediation is required to prevent the destabilization of manufacturing processes or the deployment of malicious logic to controllers.

Technical Analysis

Affected Product: AutomationDirect Productivity Suite Affected Versions: v4.6.2.2 and earlier

CVE Identifiers & Vulnerability Types:

  • CVE-2026-60063 / CVE-2026-61378 / CVE-2026-60073: Out-of-bounds Write
  • CVE-2026-61389 / CVE-2026-57896: Out-of-bounds Read
  • CVE-2026-60140: Divide By Zero

Mechanism of Exploitation: The vulnerabilities stem from improper memory validation within the Productivity Suite. Specifically, the Out-of-bounds Write vulnerabilities occur when the software fails to properly check bounds before writing data past the end of an allocated buffer.

  • Attack Vector: Local. An attacker requires access to the host system where the software is installed. This could be achieved via physical access, a logged-on session, or through a secondary lateral movement mechanism.
  • Impact:
    • Memory Corruption: The application writes data to unintended memory locations.
    • Code Execution (Theoretical): In the case of OOB Write vulnerabilities, carefully crafted input could overwrite function pointers or return addresses, allowing an attacker to hijack the execution flow.
    • Information Disclosure: OOB Read vulnerabilities allow the attacker to read sensitive memory contents, potentially leaking encryption keys or other operational data.
    • Denial-of-Service: The Divide By Zero and memory corruption bugs can cause the application to terminate unexpectedly, halting engineering operations.

Exploitation Status: As of this advisory release, CISA has not confirmed active exploitation in the wild. However, the technical nature of OOB writes makes them prime candidates for reliable exploit development once proof-of-concept code is reverse-engineered from the patch.

Detection & Response

Detecting the exploitation of local memory corruption bugs requires focusing on process reliability and unexpected child process creation. Since the attacker needs local access, we look for the application crashing (indicating a failed exploit attempt or DoS) or the application spawning a shell (indicating successful code execution).

SIGMA Rules

YAML
---
title: AutomationDirect Productivity Suite Crash Detection
id: 8a1c2b3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects crashes in AutomationDirect Productivity Suite (Productivity.exe) via Windows Error Reporting (WerFault.exe), which may indicate exploitation attempts of memory corruption vulnerabilities.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-04
author: Security Arsenal
date: 2026/10/14
tags:
  - attack.impact
  - attack.t1499
  - cve.2026.60063
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\WerFault.exe'
    CommandLine|contains: 'Productivity.exe'
  condition: selection
falsepositives:
  - Legitimate application crashes due to software bugs
level: medium
---
title: AutomationDirect Productivity Suite Spawning Shell
id: 9b2d3e4f-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects AutomationDirect Productivity Suite spawning suspicious child processes (cmd, powershell), which may indicate successful code execution via CVE-2026-60063.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-04
author: Security Arsenal
date: 2026/10/14
tags:
  - attack.execution
  - attack.t1059
  - cve.2026.60063
logsource:
  category: process_creation
  product: windows
detection:
  parent:
    Image|endswith: '\Productivity.exe'
  child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: parent and child
falsepositives:
  - Legitimate administrative scripting launched by the engineer (rare)
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for process crashes involving the Productivity Suite executable.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "WerFault.exe"
| where CommandLine contains "Productivity.exe"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, CommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of the vulnerable Productivity Suite executable on the endpoint to aid in asset discovery.

VQL — Velociraptor
-- Hunt for AutomationDirect Productivity Suite installations
SELECT FullPath, Mtime, Size, VersionInfo.FileVersion
FROM glob(globs="C:/Program Files*/AutomationDirect/Productivity Suite/Productivity.exe")
WHERE VersionInfo.FileVersion <= "4.6.2.2"

Remediation Script (PowerShell)

Use this script to audit Windows workstations for the presence of the affected software version.

PowerShell
# Audit AutomationDirect Productivity Suite for CVE-2026-60063
$VulnerableVersion = [version]"4.6.2.2"
$Paths = @(
    "${env:ProgramFiles(x86)}\AutomationDirect\Productivity Suite\Productivity.exe",
    "${env:ProgramFiles}\AutomationDirect\Productivity Suite\Productivity.exe"
)

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        $FileInfo = Get-Item $Path
        $CurrentVersion = $FileInfo.VersionInfo.FileVersion
        if ([version]$CurrentVersion -le $VulnerableVersion) {
            Write-Host "[VULNERABLE] Found: $Path" -ForegroundColor Red
            Write-Host "Installed Version: $CurrentVersion" -ForegroundColor Red
            Write-Host "Required Action: Update to a version greater than 4.6.2.2"
        } else {
            Write-Host "[OK] Found: $Path (Version: $CurrentVersion)" -ForegroundColor Green
        }
    }
}

Remediation

  1. Patch Immediately: AutomationDirect has released updates to address these vulnerabilities. Update Productivity Suite to a version newer than v4.6.2.2. Check the official AutomationDirect downloads portal for the latest release.
  2. Vendor Advisory: Review the official vendor security notification and the CISA advisory ICSA-26-197-04 for detailed installation instructions.
  3. Restrict Local Access: Until patching is complete, enforce strict physical access controls to engineering workstations. Ensure that user accounts associated with HMI/Engineering workstations do not have local administrator privileges unless strictly necessary.
  4. Network Segmentation: Ensure engineering workstations are isolated from the internet and untrusted networks. If remote access is required, enforce strict jump-host requirements and MFA.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionics-advisoryautomationdirectcve-2026-60063ot-securityvulnerability-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.