OTPulse
FeedAboutContact

Omron CX-Supervisor (Update A)

Plan Patch8.8ICS-CERT ICSA-19-318-04Nov 14, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

CX-Supervisor versions 3.5 (12) and earlier are vulnerable to a code execution vulnerability (CWE-477) that could be exploited when a user clicks a malicious link or opens an infected attachment in email while running the application. Successful exploitation results in information disclosure, complete system compromise, and system unavailability. The attack requires user interaction but no special credentials or authentication beyond the user's normal session.

What this means
What could happen
An attacker could gain complete control of the CX-Supervisor HMI system, read sensitive process data, and disrupt or stop supervisory operations at the facility.
Who's at risk
Water utilities and electric utilities running Omron CX-Supervisor as their HMI/SCADA front end should prioritize this. Any facility using CX-Supervisor version 3.5 (12) or earlier for supervisory monitoring and control is at risk. This affects facilities with remote operator access or where HMI workstations may receive email.
How it could be exploited
An attacker sends a malicious link or attachment via email that tricks an authorized user into clicking it while logged into or running the CX-Supervisor application. The attack exploits a code execution flaw, allowing the attacker to run arbitrary commands with the privileges of the CX-Supervisor process.
Prerequisites
  • User interaction required: victim must click a malicious link or open an attachment in email
  • CX-Supervisor application running on the target system
  • No credentials required beyond what the user already has
remotely exploitable via email link/attachmentno authentication required beyond user sessionlow complexity attack (social engineering)affects supervisory/control system HMICVSS 8.8 (high severity)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
CX-Supervisor:≤ 3.5 (12)3.51 (9)
Remediation & Mitigation
0/5
Do now
0/1
HARDENINGRestrict network access to CX-Supervisor systems using firewall rules; ensure HMI/supervisory systems are not reachable from the Internet or business network
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CX-Supervisor to version 3.51 (9) or later
Long-term hardening
0/3
HARDENINGIsolate CX-Supervisor and related control system networks behind firewalls, separate from corporate network
HARDENINGIf remote access to CX-Supervisor is required, use secure VPN connections with the most current firmware and security patches
HARDENINGTrain users not to click links or open attachments from unsolicited emails, especially those requesting access to control systems or sensitive applications
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/15e3c9d0-9b2a-46a7-8198-f244a86ef4be
Omron CX-Supervisor (Update A) | CVSS 8.8 - OTPulse