Omron CX-Supervisor (Update A)

Plan Patch8.5ICS-CERT ICSA-18-072-01Mar 13, 2018

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

CX-Supervisor versions 3.40 and earlier contain multiple memory corruption vulnerabilities (buffer overflow, use-after-free, out-of-bounds write) in its process memory handling. These are tracked as CWE-121, CWE-416, CWE-824, CWE-415, CWE-787, CWE-822, and CWE-122. Successful exploitation could allow remote code execution on systems running vulnerable versions. Omron has released version 3.4.1 to address these issues. The advisory notes that these vulnerabilities are not exploitable remotely without authentication, and no public exploits are currently known.

What this means

What could happen

Successful exploitation could allow remote code execution on CX-Supervisor engineering workstations, potentially enabling an attacker to manipulate control logic, alter setpoints, or disrupt supervisory operations across connected devices.

Who's at risk

Water utilities and municipal electric utilities using Omron CX-Supervisor (version 3.40 or earlier) for HMI/SCADA engineering and configuration. This affects engineering workstations and supervisory control systems that manage process automation, RTUs, and remote I/O devices across water treatment, distribution, or power generation plants.

How it could be exploited

An attacker with network access and valid engineering credentials (or obtained credentials) could exploit memory corruption vulnerabilities (buffer overflow, use-after-free) in CX-Supervisor to execute arbitrary code on the workstation. The attacker would need to interact with the CX-Supervisor application or send crafted network packets to trigger the vulnerability.

Prerequisites

Network access to the CX-Supervisor workstation (port varies by configuration, typically internal network)
Valid engineering workstation credentials or ability to authenticate to CX-Supervisor
CX-Supervisor version 3.40 or earlier running on target system
User interaction or ability to reach the vulnerable code path in the application

Remotely exploitable via networkRequires authentication (engineering credentials)Multiple memory corruption vulnerabilities (buffer overflow, use-after-free)Could lead to remote code execution on engineering workstationsNo known public exploits at time of advisory

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

CX-Supervisor:≤ 3.403.4.1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to CX-Supervisor workstations to only authorized engineering and IT staff; use firewall rules to block unnecessary connections

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CX-Supervisor to version 3.4.1 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate CX-Supervisor and control system networks from the business/Internet-facing network

HARDENINGIf remote access to CX-Supervisor is required, require VPN with multi-factor authentication and enforce VPN client security hardening

CVEs (7)

CVE-2018-7513 CVE-2018-7521 CVE-2018-7515 CVE-2018-7523 CVE-2018-7517 CVE-2018-7525 CVE-2018-7519

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/446616e5-7a5d-4048-9da2-9872bb704ce5