Omron PLC CJ and CS Series

Plan Patch8.6ICS-CERT ICSA-19-346-02Dec 12, 2019

Summary

Omron CS, CJ, and NX1P2 series PLCs contain authentication bypass vulnerabilities (CWE-290, CWE-294, CWE-412) that allow an attacker to pose as an authorized user and obtain status information from the PLC. No public exploits are known. Omron has not released patches for these products.

What this means

What could happen

An attacker with network access to the PLC could impersonate an authorized engineer and read operational status, potentially gathering information needed to plan further attacks on the manufacturing process. No direct process control compromise has been documented.

Who's at risk

Manufacturing facilities using Omron CS, CJ, or NX1P2 series PLCs for process automation, packaging lines, conveyor systems, or any industrial control application. Any organization that has these PLCs on networks with external connectivity or untrusted internal network segments is at risk.

How it could be exploited

An attacker sends unauthenticated or spoofed FINS protocol commands to the PLC on port 9600 (or custom port). The PLC accepts the commands without proper authentication, allowing the attacker to query device status and configuration information as if they were an authorized user.

Prerequisites

Network access to PLC FINS port (default 9600)
No valid credentials required
PLC must be reachable from attacker's network segment

No patch availableRemotely exploitableNo authentication requiredAffects all versions of three PLC series

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

PLC NX1P2 series: all versionsAll versionsNo fix (EOL)

PLC CS series: all versionsAll versionsNo fix (EOL)

PLC CJ series: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDBlock inbound access to FINS port 9600 (and any alternate FINS ports) at the network firewall, allowing only connections from known engineering workstations and approved remote access points

WORKAROUNDImplement IP address filtering at the firewall to restrict which devices can connect to each PLC—only permit connections from authorized engineering stations and HMI systems

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: PLC NX1P2 series: all versions, PLC CS series: all versions, PLC CJ series: all versions. Apply the following compensating controls:

HARDENINGSegment PLCs onto a separate, isolated control network that is not directly connected to the business network or Internet

HARDENINGIf remote access to PLCs is required, enforce it only through a secure VPN with multi-factor authentication, and keep VPN appliance firmware fully patched

HARDENINGMinimize direct Internet connectivity for all Omron PLCs and ensure they are not exposed to unsecured remote access

CVEs (3)

CVE-2019-18259 CVE-2019-13533 CVE-2019-18269

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b6210902-1321-49b3-a45f-2aaad9a6cbc3