Search criteria
35 vulnerabilities by OMRON Corporation
CVE-2025-1384 (GCVE-0-2025-1384)
Vulnerability from cvelistv5 – Published: 2025-07-13 23:42 – Updated: 2025-07-14 14:15
VLAI?
Title
Least Privilege Violation Vulnerability in the communications functions of NJ/NX-series Machine Automation Controllers
Summary
Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products.
Severity ?
CWE
- CWE-272 - Least Privilege Violation
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T14:14:22.828617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T14:15:23.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"packageName": "NJ101-[][][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ101-[][][][] Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ301-1[]00",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ301-1[]00 Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]00",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]00 Ver.1.67.02 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]20",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]20 Ver.1.68.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1340",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1340 Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-4[][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-4[][][] Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-5300",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-5300 Ver.1.67.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-R[]00",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[]00 Ver.1.67.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-R[]20",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[]20 Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX102-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][][][] Ver.1.68.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][] Ver.1.64.09 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]1",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][]1 Ver.1.64.09 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX502-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX502-[][][][] Ver.1.68.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX701-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX701-[][][][] Ver.1.35.09 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "SYSMAC-SE2[][][]",
"product": "Sysmac Studio Software",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "SYSMAC-SE2[][][] all"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"value": "Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-272",
"description": "CWE-272 Least Privilege Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-13T23:42:09.953Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-004_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-004_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The countermeasure against the vulnerability can be implemented by updating each product to the countermeasure version and setting the secure communication version 2.\u003cbr\u003eFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors. \u003cbr\u003e"
}
],
"value": "The countermeasure against the vulnerability can be implemented by updating each product to the countermeasure version and setting the secure communication version 2.\nFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors."
}
],
"source": {
"advisory": "OMSR-2025-004",
"discovery": "UNKNOWN"
},
"title": "Least Privilege Violation Vulnerability in the communications functions of NJ/NX-series Machine Automation Controllers",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of this vulnerability.\u003cbr\u003e\u003cbr\u003e1. Secure Communication Function\u003cbr\u003eThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\u003cbr\u003e- NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\u003cbr\u003e- NX701 CPU Unit: Version 1.29 or higher\u003cbr\u003e- NX502 CPU Unit: Version 1.60 or higher\u003cbr\u003e\u003cbr\u003e2. Anti-virus protection\u003cbr\u003eProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e3. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e4. Data input and output protection\u003cbr\u003eValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e5. Data recovery\u003cbr\u003ePeriodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of this vulnerability.\n\n1. Secure Communication Function\nThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\n- NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\n- NX701 CPU Unit: Version 1.29 or higher\n- NX502 CPU Unit: Version 1.60 or higher\n\n2. Anti-virus protection\nProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n3. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n4. Data input and output protection\nValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n5. Data recovery\nPeriodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2025-1384",
"datePublished": "2025-07-13T23:42:09.953Z",
"dateReserved": "2025-02-16T23:57:46.232Z",
"dateUpdated": "2025-07-14T14:15:23.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0591 (GCVE-0-2025-0591)
Vulnerability from cvelistv5 – Published: 2025-02-16 23:58 – Updated: 2025-02-18 16:06
VLAI?
Title
Out-of-bounds Read vulnerability in CX-Programmer
Summary
Out-of-bounds Read vulnerability (CWE-125) was found in CX-Programmer. Attackers may be able to read sensitive information or cause an application crash by abusing this vulnerability.
Severity ?
7.8 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | FA Integrated Tool Package CX-One |
Affected:
Ver.9.83 or lower
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T16:06:06.684155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T16:06:14.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "CX-Programmer",
"product": "FA Integrated Tool Package CX-One",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.9.83 or lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Out-of-bounds Read vulnerability (CWE-125) was found in CX-Programmer. Attackers may be able to read sensitive information or cause an application crash by abusing this vulnerability."
}
],
"value": "Out-of-bounds Read vulnerability (CWE-125) was found in CX-Programmer. Attackers may be able to read sensitive information or cause an application crash by abusing this vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-540",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-540 Overread Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-16T23:58:32.165Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-003_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-003_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update your CX-Programmer to the countermeasure version to fix the vulnerability.\u003cbr\u003eFor information on how to obtain and update the countermeasure version of the product, please contact our sales representative or distributor. You can update CX-One to the latest versions using the installed Omron Automation Software AutoUpdate tool.\u003cbr\u003e"
}
],
"value": "Update your CX-Programmer to the countermeasure version to fix the vulnerability.\nFor information on how to obtain and update the countermeasure version of the product, please contact our sales representative or distributor. You can update CX-One to the latest versions using the installed Omron Automation Software AutoUpdate tool."
}
],
"source": {
"advisory": "OMSR-2025-003",
"discovery": "UNKNOWN"
},
"title": "Out-of-bounds Read vulnerability in CX-Programmer",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\u003cbr\u003e\u003cbr\u003e1. Anti-virus protection Protect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e2. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e3. Data input and output protection Validation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e4. Data recovery Periodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\n\n1. Anti-virus protection Protect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n2. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n3. Data input and output protection Validation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n4. Data recovery Periodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2025-0591",
"datePublished": "2025-02-16T23:58:32.165Z",
"dateReserved": "2025-01-20T06:13:11.242Z",
"dateUpdated": "2025-02-18T16:06:14.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12083 (GCVE-0-2024-12083)
Vulnerability from cvelistv5 – Published: 2025-01-14 00:46 – Updated: 2025-05-06 23:55
VLAI?
Title
Path Traversal Vulnerabilities in NJ/NX-series Machine Automation Controllers
Summary
Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products.
Severity ?
6.6 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| OMRON Corporation | Machine Automation Controller NJ-series |
Affected:
NJ101-[][][][] Ver.1.64.05 and lower
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:28:53.612862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:29:28.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"packageName": "NJ101-[][][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ101-[][][][] Ver.1.64.05 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ301-[][][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ301-[][][][] Ver.1.64.05 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]0[]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]0[] Ver.1.64.05 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]2[]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]2[] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1340",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1340 Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-4[][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-4[][][] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-5300",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-5300 Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-R[][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[][][] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]1",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][]1 Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX102-[][]0[]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][]0[] Ver.1.64.07 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX102-[][]2[]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][]2[] Ver.1.64.07 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX502-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX502-[][][][] Ver.1.66.03 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX701-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX701-[][][][] Ver.1.35.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX-EIP201",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX-EIP201 Ver.1.01.02 and lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"value": "Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T23:55:36.575Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-001_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-001_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\u003cbr\u003eFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors. \u003cbr\u003e"
}
],
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\nFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors."
}
],
"source": {
"advisory": "OMSR-2025-001",
"discovery": "UNKNOWN"
},
"title": "Path Traversal Vulnerabilities in NJ/NX-series Machine Automation Controllers",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\u003cbr\u003e\u003cbr\u003e1. Secure Communication Function\u003cbr\u003eThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\u003cbr\u003e-NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\u003cbr\u003e-NX701 CPU Unit: Version 1.29 or higher\u003cbr\u003e-NX502 CPU Unit: Version 1.60 or higher\u003cbr\u003e-NX-EIP201 EtherNet/IPTM Unit: Version 1.00 or higher\u003cbr\u003e\u003cbr\u003e2. Anti-virus protection\u003cbr\u003eProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e3. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e4. Data input and output protection\u003cbr\u003eValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e5. Data recovery\u003cbr\u003ePeriodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\n\n1. Secure Communication Function\nThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\n-NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\n-NX701 CPU Unit: Version 1.29 or higher\n-NX502 CPU Unit: Version 1.60 or higher\n-NX-EIP201 EtherNet/IPTM Unit: Version 1.00 or higher\n\n2. Anti-virus protection\nProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n3. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n4. Data input and output protection\nValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n5. Data recovery\nPeriodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2024-12083",
"datePublished": "2025-01-14T00:46:33.399Z",
"dateReserved": "2024-12-03T04:43:25.034Z",
"dateUpdated": "2025-05-06T23:55:36.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12298 (GCVE-0-2024-12298)
Vulnerability from cvelistv5 – Published: 2025-01-14 00:45 – Updated: 2025-01-14 15:29
VLAI?
Title
Vulnerability Report on Improper Restriction of XML External Entity Reference in NB-Designer
Summary
We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer.
Severity ?
5.5 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | Programable Terminals NB-Designer |
Affected:
Ver.1.63 or lower
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12298",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:29:39.495895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:29:49.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"packageName": "NB-Designer",
"product": "Programable Terminals NB-Designer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.1.63 or lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer."
}
],
"value": "We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer."
}
],
"impacts": [
{
"capecId": "CAPEC-221",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-221 Data Serialization External Entities Blowup"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:45:38.605Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-002_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-002_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\u003cbr\u003eFor information on how to obtain and update the countermeasure version of the product, please contact our sales office or distributors.\u003cbr\u003e"
}
],
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\nFor information on how to obtain and update the countermeasure version of the product, please contact our sales office or distributors."
}
],
"source": {
"advisory": "OMSR-2025-002",
"discovery": "UNKNOWN"
},
"title": "Vulnerability Report on Improper Restriction of XML External Entity Reference in NB-Designer",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\u003cbr\u003e\u003cbr\u003e1. Secure Communication Function\u003cbr\u003eThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\u003cbr\u003e- NJ series, NX1P2 CPU Unit: Version 1.49 or higher\u003cbr\u003e\u003cbr\u003e2. Anti-virus protection\u003cbr\u003eProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e3. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e4. Data input and output protection\u003cbr\u003eValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e5. Data recovery\u003cbr\u003ePeriodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\n\n1. Secure Communication Function\nThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\n- NJ series, NX1P2 CPU Unit: Version 1.49 or higher\n\n2. Anti-virus protection\nProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n3. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n4. Data input and output protection\nValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n5. Data recovery\nPeriodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2024-12298",
"datePublished": "2025-01-14T00:45:38.605Z",
"dateReserved": "2024-12-06T05:22:07.010Z",
"dateUpdated": "2025-01-14T15:29:49.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49501 (GCVE-0-2024-49501)
Vulnerability from cvelistv5 – Published: 2024-11-01 04:07 – Updated: 2024-11-01 15:06
VLAI?
Summary
Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function.
Severity ?
5.7 (Medium)
CWE
- CWE-863 - Incorrect authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | SYSMAC-SE2[][][] |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T15:06:44.922885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T15:06:52.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SYSMAC-SE2[][][]",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect authorization",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T04:07:39.666Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-006_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-006_ja.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU95685374"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-49501",
"datePublished": "2024-11-01T04:07:39.666Z",
"dateReserved": "2024-10-15T11:32:15.313Z",
"dateUpdated": "2024-11-01T15:06:52.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33687 (GCVE-0-2024-33687)
Vulnerability from cvelistv5 – Published: 2024-06-24 15:03 – Updated: 2025-03-13 14:36
VLAI?
Summary
Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration.
Severity ?
7.5 (High)
CWE
- Insufficient verification of data authenticity
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| OMRON Corporation | NJ Series CPU Unit |
Affected:
all versions
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-24T20:23:44.445669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:36:56.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:36:04.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-004_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92504444/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NJ Series CPU Unit",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"product": "NX Series CPU Unit",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient verification of data authenticity",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T15:03:05.467Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-004_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU92504444/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-33687",
"datePublished": "2024-06-24T15:03:05.467Z",
"dateReserved": "2024-04-26T07:55:08.563Z",
"dateUpdated": "2025-03-13T14:36:56.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31413 (GCVE-0-2024-31413)
Vulnerability from cvelistv5 – Published: 2024-05-01 12:54 – Updated: 2025-03-14 14:51
VLAI?
Summary
Free of pointer not at start of buffer vulnerability exists in CX-One CX-One CXONE-AL[][]D-V4 (The version which was installed with a DVD ver. 4.61.1 or lower, and was updated through CX-One V4 auto update in January 2024 or prior) and Sysmac Studio SYSMAC-SE2[][][] (The version which was installed with a DVD ver. 1.56 or lower, and was updated through Sysmac Studio V1 auto update in January 2024 or prior). Opening a specially crafted project file may lead to arbitrary code execution.
Severity ?
5.9 (Medium)
CWE
- Free of pointer not at start of buffer
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| OMRON Corporation | CX-One CX-One CXONE-AL[][]D-V4 |
Affected:
The version which was installed with a DVD ver. 4.61.1 or lower
Affected: and was updated through CX-One V4 auto update in January 2024 or prior |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:omrom:cx-designer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cx-designer",
"vendor": "omrom",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T14:49:56.532150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-761",
"description": "CWE-761 Free of Pointer not at Start of Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T14:51:31.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-002_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CX-One CX-One CXONE-AL[][]D-V4 ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "The version which was installed with a DVD ver. 4.61.1 or lower"
},
{
"status": "affected",
"version": " and was updated through CX-One V4 auto update in January 2024 or prior"
}
]
},
{
"product": "Sysmac Studio SYSMAC-SE2[][][] ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "The version which was installed with a DVD ver. 1.56 or lower"
},
{
"status": "affected",
"version": " and was updated through Sysmac Studio V1 auto update in January 2024 or prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Free of pointer not at start of buffer vulnerability exists in CX-One CX-One CXONE-AL[][]D-V4 (The version which was installed with a DVD ver. 4.61.1 or lower, and was updated through CX-One V4 auto update in January 2024 or prior) and Sysmac Studio SYSMAC-SE2[][][] (The version which was installed with a DVD ver. 1.56 or lower, and was updated through Sysmac Studio V1 auto update in January 2024 or prior). Opening a specially crafted project file may lead to arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Free of pointer not at start of buffer",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T12:54:15.483Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-002_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31413",
"datePublished": "2024-05-01T12:54:15.483Z",
"dateReserved": "2024-04-03T10:57:10.684Z",
"dateUpdated": "2025-03-14T14:51:31.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31412 (GCVE-0-2024-31412)
Vulnerability from cvelistv5 – Published: 2024-05-01 12:52 – Updated: 2024-08-02 01:52
VLAI?
Summary
Out-of-bounds read vulnerability exists in CX-Programmer included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower. Opening a specially crafted project file may lead to information disclosure and/or the product being crashed.
Severity ?
7.8 (High)
CWE
- Out-of-bounds read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
Included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:omron:cx-programmer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cx-programmer",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "9.81",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T14:29:07.641532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T14:36:05.441Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-003_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Out-of-bounds read vulnerability exists in CX-Programmer included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower. Opening a specially crafted project file may lead to information disclosure and/or the product being crashed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Out-of-bounds read",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T12:52:13.173Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-003_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31412",
"datePublished": "2024-05-01T12:52:13.173Z",
"dateReserved": "2024-04-03T10:57:10.684Z",
"dateUpdated": "2024-08-02T01:52:56.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27121 (GCVE-0-2024-27121)
Vulnerability from cvelistv5 – Published: 2024-03-12 07:55 – Updated: 2024-08-16 19:50
VLAI?
Summary
Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege. As for the details of the affected product names/versions, see the information provided by the vendor under [References] section.
Severity ?
7.2 (High)
CWE
- Path traversal
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ101-[][][][] Ver.1.64.03 and earlier
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-001_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-001_ja.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU95852116/index.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:omron:nj101-1000_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-1020_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-9000_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-9020_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj101-9020_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:omron:nj301-1100_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj301-1200_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj301-1200_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:omron:nj501-1300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1340_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1420_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1520_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4310_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-5300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r420_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r520_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj501-r520_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T18:25:40.523309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T19:50:12.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ101-[][][][] Ver.1.64.03 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ301-[][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]0[] Ver.1.64.03 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]2[] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1340 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-4[][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-5300 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][]1 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX502-[][][][] Ver.1.65.01 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX701-[][][][] Ver.1.35.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX-EIP201 Ver.1.00.01 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege. As for the details of the affected product names/versions, see the information provided by the vendor under [References] section."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T07:55:48.301Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-001_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-001_ja.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU95852116/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-27121",
"datePublished": "2024-03-12T07:55:48.301Z",
"dateReserved": "2024-02-20T08:22:05.133Z",
"dateUpdated": "2024-08-16T19:50:12.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43624 (GCVE-0-2023-43624)
Vulnerability from cvelistv5 – Published: 2023-10-23 04:51 – Updated: 2024-09-17 14:19
VLAI?
Summary
CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.
Severity ?
No CVSS data available.
CWE
- XML external entities (XXE)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Designer |
Affected:
Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.805Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-011_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU98683567/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:14:29.731149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T14:19:52.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Designer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML external entities (XXE)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T04:51:39.628Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-011_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU98683567/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-43624",
"datePublished": "2023-10-23T04:51:39.628Z",
"dateReserved": "2023-09-20T11:52:20.771Z",
"dateUpdated": "2024-09-17T14:19:52.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22277 (GCVE-0-2023-22277)
Vulnerability from cvelistv5 – Published: 2023-08-03 13:05 – Updated: 2024-10-17 14:21
VLAI?
Summary
Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22317 and CVE-2023-22314.
Severity ?
No CVSS data available.
CWE
- Use after free
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
Ver.9.79 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92877622/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:21:26.727465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:21:36.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.9.79 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22317 and CVE-2023-22314."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use after free",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T13:05:45.204Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU92877622/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22277",
"datePublished": "2023-08-03T13:05:45.204Z",
"dateReserved": "2022-12-27T15:57:55.077Z",
"dateUpdated": "2024-10-17T14:21:36.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22314 (GCVE-0-2023-22314)
Vulnerability from cvelistv5 – Published: 2023-08-03 12:59 – Updated: 2024-10-17 14:27
VLAI?
Summary
Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22277 and CVE-2023-22317.
Severity ?
No CVSS data available.
CWE
- Use after free
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
Ver.9.79 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92877622/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:27:26.735010Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:27:35.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.9.79 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22277 and CVE-2023-22317."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use after free",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T13:08:22.396Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU92877622/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22314",
"datePublished": "2023-08-03T12:59:07.012Z",
"dateReserved": "2022-12-27T15:57:55.088Z",
"dateUpdated": "2024-10-17T14:27:35.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22317 (GCVE-0-2023-22317)
Vulnerability from cvelistv5 – Published: 2023-08-03 12:56 – Updated: 2024-10-17 15:34
VLAI?
Summary
Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22277 and CVE-2023-22314.
Severity ?
No CVSS data available.
CWE
- Use after free
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
Ver.9.79 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92877622/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T15:33:38.630665Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T15:34:00.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.9.79 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22277 and CVE-2023-22314."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use after free",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T13:07:10.073Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU92877622/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22317",
"datePublished": "2023-08-03T12:56:14.503Z",
"dateReserved": "2022-12-27T15:57:55.084Z",
"dateUpdated": "2024-10-17T15:34:00.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38748 (GCVE-0-2023-38748)
Vulnerability from cvelistv5 – Published: 2023-08-03 05:09 – Updated: 2024-10-17 15:44
VLAI?
Summary
Use after free vulnerability exists in CX-Programmer Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.
Severity ?
No CVSS data available.
CWE
- Use after free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:54:38.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-005_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU93286117/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T15:44:38.294238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T15:44:46.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use after free vulnerability exists in CX-Programmer Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use after free",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T05:09:16.186Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-005_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU93286117/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-38748",
"datePublished": "2023-08-03T05:09:16.186Z",
"dateReserved": "2023-07-25T03:13:53.096Z",
"dateUpdated": "2024-10-17T15:44:46.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38747 (GCVE-0-2023-38747)
Vulnerability from cvelistv5 – Published: 2023-08-03 05:00 – Updated: 2024-10-21 19:34
VLAI?
Summary
Heap-based buffer overflow vulnerability exists in CX-Programmer Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.
Severity ?
No CVSS data available.
CWE
- Heap-based buffer overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:54:38.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-005_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU93286117/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:33:15.295856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:34:50.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow vulnerability exists in CX-Programmer Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Heap-based buffer overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T05:00:34.672Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-005_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU93286117/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-38747",
"datePublished": "2023-08-03T05:00:34.672Z",
"dateReserved": "2023-07-25T03:13:53.096Z",
"dateUpdated": "2024-10-21T19:34:50.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38746 (GCVE-0-2023-38746)
Vulnerability from cvelistv5 – Published: 2023-08-03 04:58 – Updated: 2024-10-17 15:03
VLAI?
Summary
Out-of-bounds read vulnerability/issue exists in CX-Programmer Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.
Severity ?
No CVSS data available.
CWE
- Out-of-bounds read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:54:38.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-005_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU93286117/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T15:02:40.370304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T15:03:39.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Out-of-bounds read vulnerability/issue exists in CX-Programmer Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Out-of-bounds read",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T04:58:30.228Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-005_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU93286117/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-38746",
"datePublished": "2023-08-03T04:58:30.228Z",
"dateReserved": "2023-07-25T03:13:53.096Z",
"dateUpdated": "2024-10-17T15:03:39.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38744 (GCVE-0-2023-38744)
Vulnerability from cvelistv5 – Published: 2023-08-03 04:55 – Updated: 2024-10-17 15:17
VLAI?
Summary
Denial-of-service (DoS) vulnerability due to improper validation of specified type of input issue exists in the built-in EtherNet/IP port of the CJ Series CJ2 CPU unit and the communication function of the CS/CJ Series EtherNet/IP unit. If an affected product receives a packet which is specially crafted by a remote unauthenticated attacker, the unit of the affected product may fall into a denial-of-service (DoS) condition. Affected products/versions are as follows: CJ2M CPU Unit CJ2M-CPU3[] Unit version of the built-in EtherNet/IP section Ver. 2.18 and earlier, CJ2H CPU Unit CJ2H-CPU6[]-EIP Unit version of the built-in EtherNet/IP section Ver. 3.04 and earlier, CS/CJ Series EtherNet/IP Unit CS1W-EIP21 V3.04 and earlier, and CS/CJ Series EtherNet/IP Unit CJ1W-EIP21 V3.04 and earlier.
Severity ?
No CVSS data available.
CWE
- Denial-of-service (DoS)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| OMRON Corporation | CJ2M CPU Unit |
Affected:
CJ2M-CPU3[] Unit version of the built-in EtherNet/IP section Ver. 2.18 and earlier
|
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:54:38.498Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-006_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92193064/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:h:omron:cj2m_cpu_unit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cj2m_cpu_unit",
"vendor": "omron",
"versions": [
{
"lessThan": "2.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:omron:cj2h_cpu_unit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cj2h_cpu_unit",
"vendor": "omron",
"versions": [
{
"lessThan": "3.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:omron:cs_cj_series_ethernet_ip_unit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cs_cj_series_ethernet_ip_unit",
"vendor": "omron",
"versions": [
{
"lessThan": "CS1W-EIP21 V3.04",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "CJ1W-EIP21 V3.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T15:04:47.223773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T15:17:34.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CJ2M CPU Unit",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "CJ2M-CPU3[] Unit version of the built-in EtherNet/IP section Ver. 2.18 and earlier"
}
]
},
{
"product": "CJ2H CPU Unit",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "CJ2H-CPU6[]-EIP Unit version of the built-in EtherNet/IP section Ver. 3.04 and earlier"
}
]
},
{
"product": "CS/CJ Series EtherNet/IP Unit",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "CS1W-EIP21 V3.04 and earlier"
}
]
},
{
"product": "CS/CJ Series EtherNet/IP Unit",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "CJ1W-EIP21 V3.04 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Denial-of-service (DoS) vulnerability due to improper validation of specified type of input issue exists in the built-in EtherNet/IP port of the CJ Series CJ2 CPU unit and the communication function of the CS/CJ Series EtherNet/IP unit. If an affected product receives a packet which is specially crafted by a remote unauthenticated attacker, the unit of the affected product may fall into a denial-of-service (DoS) condition. Affected products/versions are as follows: CJ2M CPU Unit CJ2M-CPU3[] Unit version of the built-in EtherNet/IP section Ver. 2.18 and earlier, CJ2H CPU Unit CJ2H-CPU6[]-EIP Unit version of the built-in EtherNet/IP section Ver. 3.04 and earlier, CS/CJ Series EtherNet/IP Unit CS1W-EIP21 V3.04 and earlier, and CS/CJ Series EtherNet/IP Unit CJ1W-EIP21 V3.04 and earlier."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial-of-service (DoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T04:55:52.423Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-006_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU92193064/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-38744",
"datePublished": "2023-08-03T04:55:52.423Z",
"dateReserved": "2023-07-25T03:05:55.191Z",
"dateUpdated": "2024-10-17T15:17:34.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27396 (GCVE-0-2023-27396)
Vulnerability from cvelistv5 – Published: 2023-06-19 00:00 – Updated: 2024-12-24 16:45
VLAI?
Summary
FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON products. Multiple OMRON products that implement FINS protocol contain following security issues -- (1)Plaintext communication, and (2)No authentication required. When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device. Affected products and versions are as follows: SYSMAC CS-series CPU Units, all versions, SYSMAC CJ-series CPU Units, all versions, SYSMAC CP-series CPU Units, all versions, SYSMAC NJ-series CPU Units, all versions, SYSMAC NX1P-series CPU Units, all versions, SYSMAC NX102-series CPU Units, all versions, and SYSMAC NX7 Database Connection CPU Units (Ver.1.16 or later)
Severity ?
9.8 (Critical)
CWE
- Insecure Design
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | Multiple OMRON products which implement FINS protocol |
Affected:
SYSMAC CS-series CPU Units all versions, SYSMAC CJ-series CPU Units all versions, SYSMAC CP-series CPU Units all versions, SYSMAC NJ-series CPU Units all versions, SYSMAC NX1P-series CPU Units all versions, SYSMAC NX102-series CPU Units all versions, and SYSMAC NX7 Database Connection CPU Units Ver.1.16 or later
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:43.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/vulnerability/OMSR-2023-003_ja.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/ta/JVNTA91513661/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/ta/JVNTA91513661/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-063-03"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T16:45:15.508549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T16:45:20.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Multiple OMRON products which implement FINS protocol",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "SYSMAC CS-series CPU Units all versions, SYSMAC CJ-series CPU Units all versions, SYSMAC CP-series CPU Units all versions, SYSMAC NJ-series CPU Units all versions, SYSMAC NX1P-series CPU Units all versions, SYSMAC NX102-series CPU Units all versions, and SYSMAC NX7 Database Connection CPU Units Ver.1.16 or later"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON products. Multiple OMRON products that implement FINS protocol contain following security issues -- (1)Plaintext communication, and (2)No authentication required. When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device. Affected products and versions are as follows: SYSMAC CS-series CPU Units, all versions, SYSMAC CJ-series CPU Units, all versions, SYSMAC CP-series CPU Units, all versions, SYSMAC NJ-series CPU Units, all versions, SYSMAC NX1P-series CPU Units, all versions, SYSMAC NX102-series CPU Units, all versions, and SYSMAC NX7 Database Connection CPU Units (Ver.1.16 or later)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Design",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-19T00:00:00",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
},
{
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-003_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/vulnerability/OMSR-2023-003_ja.pdf"
},
{
"url": "https://jvn.jp/en/ta/JVNTA91513661/"
},
{
"url": "https://jvn.jp/ta/JVNTA91513661/"
},
{
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-063-03"
},
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-27396",
"datePublished": "2023-06-19T00:00:00",
"dateReserved": "2023-03-15T00:00:00",
"dateUpdated": "2024-12-24T16:45:20.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27385 (GCVE-0-2023-27385)
Vulnerability from cvelistv5 – Published: 2023-05-10 00:00 – Updated: 2025-01-28 14:23
VLAI?
Summary
Heap-based buffer overflow vulnerability exists in CX-Drive All models all versions. By having a user open a specially crafted SDD file, arbitrary code may be executed and/or information may be disclosed.
Severity ?
7.8 (High)
CWE
- Buffer overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Drive All models |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:43.373Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-004_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU97372625/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T14:23:03.703347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T14:23:09.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Drive All models",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow vulnerability exists in CX-Drive All models all versions. By having a user open a specially crafted SDD file, arbitrary code may be executed and/or information may be disclosed.\r\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Buffer overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T10:54:24.555Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2023-004_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU97372625/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-27385",
"datePublished": "2023-05-10T00:00:00.000Z",
"dateReserved": "2023-03-15T00:00:00.000Z",
"dateUpdated": "2025-01-28T14:23:09.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22322 (GCVE-0-2023-22322)
Vulnerability from cvelistv5 – Published: 2023-01-30 00:00 – Updated: 2025-03-27 20:17
VLAI?
Summary
Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed.
Severity ?
5.5 (Medium)
CWE
- XML external entities (XXE)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Motion Pro |
Affected:
1.4.6.013 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU94200979/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T20:16:36.548819Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T20:17:03.881Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Motion Pro",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "1.4.6.013 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML external entities (XXE)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-30T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU94200979/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22322",
"datePublished": "2023-01-30T00:00:00.000Z",
"dateReserved": "2022-12-28T00:00:00.000Z",
"dateUpdated": "2025-03-27T20:17:03.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22366 (GCVE-0-2023-22366)
Vulnerability from cvelistv5 – Published: 2023-01-17 00:00 – Updated: 2025-04-03 19:23
VLAI?
Summary
CX-Motion-MCH v2.32 and earlier contains an access of uninitialized pointer vulnerability. Having a user to open a specially crafted project file may lead to information disclosure and/or arbitrary code execution.
Severity ?
7.8 (High)
CWE
- Access of uninitialized pointer
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Motion-MCH |
Affected:
v2.32 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:06.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU91744508/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T18:17:06.334682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-824",
"description": "CWE-824 Access of Uninitialized Pointer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:23:20.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Motion-MCH",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "v2.32 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CX-Motion-MCH v2.32 and earlier contains an access of uninitialized pointer vulnerability. Having a user to open a specially crafted project file may lead to information disclosure and/or arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Access of uninitialized pointer",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-17T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU91744508/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22366",
"datePublished": "2023-01-17T00:00:00.000Z",
"dateReserved": "2022-12-27T00:00:00.000Z",
"dateUpdated": "2025-04-03T19:23:20.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22357 (GCVE-0-2023-22357)
Vulnerability from cvelistv5 – Published: 2023-01-17 00:00 – Updated: 2025-04-04 17:42
VLAI?
Summary
Active debug code exists in OMRON CP1L-EL20DR-D all versions, which may lead to a command that is not specified in FINS protocol being executed without authentication. A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution.
Severity ?
9.8 (Critical)
CWE
- Active debug code
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CP1L-EL20DR-D |
Affected:
All versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:06.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU97575890/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T17:41:56.035946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-489",
"description": "CWE-489 Active Debug Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T17:42:19.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CP1L-EL20DR-D",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Active debug code exists in OMRON CP1L-EL20DR-D all versions, which may lead to a command that is not specified in FINS protocol being executed without authentication. A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Active debug code",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-17T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU97575890/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22357",
"datePublished": "2023-01-17T00:00:00.000Z",
"dateReserved": "2022-12-27T00:00:00.000Z",
"dateUpdated": "2025-04-04T17:42:19.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46282 (GCVE-0-2022-46282)
Vulnerability from cvelistv5 – Published: 2022-12-21 00:00 – Updated: 2025-04-16 16:04
VLAI?
Summary
Use after free vulnerability in CX-Drive V3.00 and earlier allows a local attacker to execute arbitrary code by having a user to open a specially crafted file,
Severity ?
7.8 (High)
CWE
- Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Drive |
Affected:
V3.00 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:31:44.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92689335/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46282",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T16:03:50.064948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:04:18.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Drive",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "V3.00 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use after free vulnerability in CX-Drive V3.00 and earlier allows a local attacker to execute arbitrary code by having a user to open a specially crafted file,"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use After Free",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-21T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU92689335/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-46282",
"datePublished": "2022-12-21T00:00:00.000Z",
"dateReserved": "2022-12-06T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:04:18.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43509 (GCVE-0-2022-43509)
Vulnerability from cvelistv5 – Published: 2022-12-07 00:00 – Updated: 2025-04-23 14:18
VLAI?
Summary
Out-of-bounds write vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.
Severity ?
7.8 (High)
CWE
- Out-of-bounds Write
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
v.9.77 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:59.641Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92877622/index.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/vu/JVNVU92877622/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:17:47.602031Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T14:18:24.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "v.9.77 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Out-of-bounds write vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Out-of-bounds Write",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU92877622/index.html"
},
{
"url": "https://jvn.jp/vu/JVNVU92877622/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-43509",
"datePublished": "2022-12-07T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-04-23T14:18:24.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43508 (GCVE-0-2022-43508)
Vulnerability from cvelistv5 – Published: 2022-12-07 00:00 – Updated: 2025-04-23 14:46
VLAI?
Summary
Use-after free vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.
Severity ?
7.8 (High)
CWE
- Use-after-free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
v.9.77 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:59.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92877622/index.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/vu/JVNVU92877622/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43508",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:44:19.369346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T14:46:05.306Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "v.9.77 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use-after free vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use-after-free",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU92877622/index.html"
},
{
"url": "https://jvn.jp/vu/JVNVU92877622/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-43508",
"datePublished": "2022-12-07T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-04-23T14:46:05.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43667 (GCVE-0-2022-43667)
Vulnerability from cvelistv5 – Published: 2022-12-07 00:00 – Updated: 2025-04-23 14:09
VLAI?
Summary
Stack-based buffer overflow vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.
Severity ?
7.8 (High)
CWE
- Stack-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
v.9.77 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:05.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92877622/index.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/vu/JVNVU92877622/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:08:22.472874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T14:09:01.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "v.9.77 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU92877622/index.html"
},
{
"url": "https://jvn.jp/vu/JVNVU92877622/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-43667",
"datePublished": "2022-12-07T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-04-23T14:09:01.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34151 (GCVE-0-2022-34151)
Vulnerability from cvelistv5 – Published: 2022-07-04 01:51 – Updated: 2024-08-03 08:16
VLAI?
Summary
Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who successfully obtained the user credentials by analyzing the affected product to access the controller.
Severity ?
No CVSS data available.
CWE
- Use of Hard-coded Credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | Machine automation controller NJ series, Machine automation controller NX series, Automation software 'Sysmac Studio', and Programmable Terminal (PT) NA series |
Affected:
Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:16:17.136Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU97050784/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Machine automation controller NJ series, Machine automation controller NX series, Automation software \u0027Sysmac Studio\u0027, and Programmable Terminal (PT) NA series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software \u0027Sysmac Studio\u0027 all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software \u0027Sysmac Studio\u0027 all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who successfully obtained the user credentials by analyzing the affected product to access the controller."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use of Hard-coded Credentials",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-04T02:25:19",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU97050784/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-34151",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Machine automation controller NJ series, Machine automation controller NX series, Automation software \u0027Sysmac Studio\u0027, and Programmable Terminal (PT) NA series",
"version": {
"version_data": [
{
"version_value": "Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software \u0027Sysmac Studio\u0027 all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier"
}
]
}
}
]
},
"vendor_name": "OMRON Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software \u0027Sysmac Studio\u0027 all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who successfully obtained the user credentials by analyzing the affected product to access the controller."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use of Hard-coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdf",
"refsource": "MISC",
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdf"
},
{
"name": "https://jvn.jp/en/vu/JVNVU97050784/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU97050784/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-34151",
"datePublished": "2022-07-04T01:51:00",
"dateReserved": "2022-06-21T00:00:00",
"dateUpdated": "2024-08-03T08:16:17.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33971 (GCVE-0-2022-33971)
Vulnerability from cvelistv5 – Published: 2022-07-04 01:50 – Updated: 2024-08-03 08:16
VLAI?
Summary
Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier, which may allow an adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally to cause a denial-of-service (DoS) condition or execute a malicious program.
Severity ?
No CVSS data available.
CWE
- Authentication Bypass by Capture-replay
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | Machine automation controller NJ series, Machine automation controller NX series, Automation software 'Sysmac Studio', and Programmable Terminal (PT) NA series |
Affected:
Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:16:16.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU97050784/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-002_en.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Machine automation controller NJ series, Machine automation controller NX series, Automation software \u0027Sysmac Studio\u0027, and Programmable Terminal (PT) NA series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier, which may allow an adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally to cause a denial-of-service (DoS) condition or execute a malicious program."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass by Capture-replay",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-04T01:50:54",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU97050784/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-002_en.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-33971",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Machine automation controller NJ series, Machine automation controller NX series, Automation software \u0027Sysmac Studio\u0027, and Programmable Terminal (PT) NA series",
"version": {
"version_data": [
{
"version_value": "Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier"
}
]
}
}
]
},
"vendor_name": "OMRON Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier, which may allow an adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally to cause a denial-of-service (DoS) condition or execute a malicious program."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authentication Bypass by Capture-replay"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/en/vu/JVNVU97050784/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU97050784/index.html"
},
{
"name": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-002_en.pdf",
"refsource": "MISC",
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-002_en.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-33971",
"datePublished": "2022-07-04T01:50:54",
"dateReserved": "2022-06-21T00:00:00",
"dateUpdated": "2024-08-03T08:16:16.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33208 (GCVE-0-2022-33208)
Vulnerability from cvelistv5 – Published: 2022-07-04 01:50 – Updated: 2024-08-03 08:01
VLAI?
Summary
Authentication bypass by capture-replay vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who can analyze the communication between the affected controller and automation software 'Sysmac Studio' and/or a Programmable Terminal (PT) to access the controller.
Severity ?
No CVSS data available.
CWE
- Authentication Bypass by Capture-replay
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | Machine automation controller NJ series, Machine automation controller NX series, Automation software 'Sysmac Studio', and Programmable Terminal (PT) NA series |
Affected:
Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:01:20.422Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU97050784/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Machine automation controller NJ series, Machine automation controller NX series, Automation software \u0027Sysmac Studio\u0027, and Programmable Terminal (PT) NA series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software \u0027Sysmac Studio\u0027 all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authentication bypass by capture-replay vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software \u0027Sysmac Studio\u0027 all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who can analyze the communication between the affected controller and automation software \u0027Sysmac Studio\u0027 and/or a Programmable Terminal (PT) to access the controller."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass by Capture-replay",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-04T02:25:11",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU97050784/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-33208",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Machine automation controller NJ series, Machine automation controller NX series, Automation software \u0027Sysmac Studio\u0027, and Programmable Terminal (PT) NA series",
"version": {
"version_data": [
{
"version_value": "Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software \u0027Sysmac Studio\u0027 all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier"
}
]
}
}
]
},
"vendor_name": "OMRON Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authentication bypass by capture-replay vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software \u0027Sysmac Studio\u0027 all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who can analyze the communication between the affected controller and automation software \u0027Sysmac Studio\u0027 and/or a Programmable Terminal (PT) to access the controller."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authentication Bypass by Capture-replay"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdf",
"refsource": "MISC",
"url": "https://www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdf"
},
{
"name": "https://jvn.jp/en/vu/JVNVU97050784/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU97050784/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-33208",
"datePublished": "2022-07-04T01:50:44",
"dateReserved": "2022-06-21T00:00:00",
"dateUpdated": "2024-08-03T08:01:20.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25325 (GCVE-0-2022-25325)
Vulnerability from cvelistv5 – Published: 2022-03-07 09:00 – Updated: 2024-08-03 04:36
VLAI?
Summary
Use after free vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. This vulnerability is different from CVE-2022-25230.
Severity ?
No CVSS data available.
CWE
- Use after free
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:36:06.770Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU90121984/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use after free vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. This vulnerability is different from CVE-2022-25230."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use after free",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T09:00:43",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU90121984/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-25325",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CX-Programmer",
"version": {
"version_data": [
{
"version_value": "CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite"
}
]
}
}
]
},
"vendor_name": "OMRON Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Use after free vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. This vulnerability is different from CVE-2022-25230."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use after free"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/en/vu/JVNVU90121984/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU90121984/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-25325",
"datePublished": "2022-03-07T09:00:43",
"dateReserved": "2022-02-22T00:00:00",
"dateUpdated": "2024-08-03T04:36:06.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}