Omron CX-Supervisor

Act Now9.8ICS-CERT ICSA-19-309-01Nov 5, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CX-Supervisor contains a critical vulnerability (CWE-477) that could result in information disclosure, total compromise of the system, and system unavailability. The vulnerability is remotely exploitable with no authentication required and low attack complexity.

What this means

What could happen

An attacker with network access could gain complete control of the CX-Supervisor workstation, potentially altering process control setpoints, stopping operations, or accessing sensitive facility data across the entire industrial control system it manages.

Who's at risk

This affects organizations running Omron CX-Supervisor for industrial process monitoring and control, including water utilities, electric utilities, manufacturing plants, and any facility using Omron automation equipment. The vulnerability affects engineering workstations and control system servers that manage PLCs, drives, and other field devices.

How it could be exploited

An attacker on the network sends a crafted request to CX-Supervisor. With no authentication required, the vulnerability allows the attacker to execute code on the workstation. From there, the attacker can modify system configurations, view process data, or disrupt operations across connected devices.

Prerequisites

Network-layer access to the CX-Supervisor workstation (direct or via internal network)
No credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)affects control systemtotal system compromise possible

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

CX-Supervisor:≤ 3.5 (12)3.51 (9)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate CX-Supervisor workstations on a dedicated network segment behind a firewall, separate from business network

HARDENINGDisable direct internet access to CX-Supervisor; block inbound connections from untrusted networks at the firewall

WORKAROUNDIf remote access to CX-Supervisor is required, use a VPN with current security patches and strong authentication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CX-Supervisor to version 3.51 (9) or later

CVEs (1)

CVE-2019-11769

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eb8d9146-3b76-4fa8-ae30-1a1eed04f9de