Omron CX-One

Monitor6.6ICS-CERT ICSA-18-338-01Dec 4, 2018

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

CX-Server and CX-Programmer contain buffer overflow and use-after-free vulnerabilities (CWE-121, CWE-416) that allow code execution under the application's privileges. Successful exploitation requires local access to an engineering workstation and user interaction, such as opening a malicious file or clicking a social engineering link. These vulnerabilities are not remotely exploitable. Omron has released patches: CX-Programmer 9.70 and CX-Server 5.0.24.

What this means

What could happen

An attacker with local access to an engineering workstation running CX-One could execute arbitrary code under the application's privileges, potentially allowing modification of control logic, process parameters, or device configurations.

Who's at risk

Organizations operating Omron automation systems should care about this vulnerability. It affects engineers and technicians who use CX-One (CX-Programmer and CX-Server) to develop, test, and deploy control logic to Omron PLCs, industrial computers, and network devices. This is relevant to water treatment plants, electrical substations, wastewater systems, and any facility using Omron control systems for critical operations.

How it could be exploited

An attacker must have local access to a Windows workstation running the vulnerable CX-Server or CX-Programmer software. The attack requires user interaction (e.g., opening a malicious file or following a social engineering link). Once code execution is achieved, the attacker could modify control logic, change device settings, or interfere with the engineering environment used to manage your Omron PLCs and controllers.

Prerequisites

Local access to an engineering workstation running CX-One
User interaction required (file open, social engineering)
CX-Server version 5.0.23 or earlier, or CX-Programmer version 9.66 or earlier

Local access required (limits remote risk)Low complexity attackUser interaction requiredNo patch available for affected versions (end-of-life products)Could lead to unauthorized control system modification

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

CX-Server:≤ 5.0.235.0.24

CX-Programmer:≤ 9.669.70

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict physical and logical access to engineering workstations running CX-One; limit who can use these systems

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CX-Programmer to version 9.70 or later

HOTFIXUpdate CX-Server (Common Module) to version 5.0.24 or later

HARDENINGImplement endpoint security and monitor for suspicious activity on engineering workstations

Long-term hardening

0/1

HARDENINGIsolate engineering workstations from the business network using network segmentation or dedicated VLAN

CVEs (2)

CVE-2018-18993 CVE-2018-18989

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/83f023c9-9261-4339-97f4-a36eac5dd46e