OTPulse
FeedAboutContact

Omron CX-Programmer

Monitor6.6ICS-CERT ICSA-19-094-01Apr 4, 2019
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

CX-Programmer versions 9.70 and prior, and Common Components from January 2019 and prior, contain a use-after-free vulnerability (CWE-416) that could allow code execution with application privileges. Exploitation requires local access and user interaction (opening a malicious file). Omron released CX-Programmer v9.71 and Common Components April 2019 to address the issue. The vulnerability is not remotely exploitable and has no known public exploits.

What this means
What could happen
An attacker could execute code on a CX-Programmer engineering workstation with the privileges of the application, potentially allowing modification of PLC programs or control logic before deployment to operational devices.
Who's at risk
Affects organizations using Omron CX-Programmer for PLC development and commissioning. This includes water utilities and electric utilities managing treatment plants, pump stations, and distribution control systems where engineers develop or modify automation logic on Windows workstations.
How it could be exploited
The vulnerability requires local code execution on a Windows machine where CX-Programmer is installed. An attacker would need to trick a user into opening a malicious file (e.g., email attachment or web download) that exploits the use-after-free flaw to run arbitrary code in the CX-Programmer process.
Prerequisites
  • Local access to the engineering workstation
  • User interaction required to open malicious file
  • CX-Programmer v9.70 or earlier installed
local code executionuser interaction requiredlow complexity attackaffects engineering workstations
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
CX-Programmer: v9.70 and prior≤ 9.709.71
Common Components: January 2019 and prior≤ January 2019April 2019
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGEducate users to avoid opening unsolicited email attachments and clicking untrusted links
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CX-Programmer to version 9.71 or later via CX-One auto-update service
HOTFIXUpdate Common Components to April 2019 or later
Long-term hardening
0/1
HARDENINGRestrict access to engineering workstations and implement file integrity monitoring on PLC program libraries
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/e579be94-1956-45ea-98f9-239f5becab45