Omron PLC CJ, CS and NJ Series
Monitor6.5ICS-CERT ICSA-19-346-03Dec 12, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Omron PLC NJ, CS, and CJ series are vulnerable to brute force attacks against the FTP login interface. The FTP service accepts repeated authentication attempts without rate limiting or account lockout, allowing an attacker to systematically guess valid credentials. Once credentials are compromised, the attacker gains unauthorized access to the FTP interface, the PLC filesystem, and potentially the ability to modify control logic or process parameters. All versions of the affected product lines are impacted, and no vendor patch is available.
What this means
What could happen
An attacker could brute force FTP login credentials to gain unauthorized access to the PLC, potentially allowing them to upload malicious code, modify process setpoints, or disrupt plant operations. Compromised credentials also grant direct access to system configuration and control logic.
Who's at risk
Manufacturing facilities and utilities using Omron NJ, CS, or CJ series PLCs. These are commonly found in process control, water treatment, power generation, and discrete manufacturing environments. Any facility where these PLCs manage critical automation or safety functions should prioritize this issue.
How it could be exploited
An attacker with network access to the PLC probes the FTP service (port 21 by default) and repeatedly attempts username/password combinations until valid credentials are discovered. Once authenticated, the attacker can access the FTP interface to read or modify PLC files and configurations. No special tools or authentication bypass techniques are required—only network visibility of the FTP port.
Prerequisites
- Network access to FTP port 21 (or configured FTP port) on the PLC
- Default or weak credentials in use (e.g., default usernames and passwords not changed from factory settings)
remotely exploitableno authentication requiredlow complexityno patch availabledefault credentials
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
PLC NJ series: all versionsAll versionsNo fix (EOL)
PLC CS series: all versionsAll versionsNo fix (EOL)
PLC CJ series: all versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3WORKAROUNDBlock FTP port (default 21) at the network firewall to prevent external and unauthorized internal access to the PLC
WORKAROUNDUse firewall rules to restrict PLC network access by IP address, allowing only authorized engineering and monitoring workstations
HARDENINGSet strong, unique passwords for all PLC user accounts; avoid default credentials and any simple or dictionary-based passwords
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: PLC NJ series: all versions, PLC CS series: all versions, PLC CJ series: all versions. Apply the following compensating controls:
HARDENINGSegment control system networks from the business network using firewalls and VLANs to minimize PLC exposure
HARDENINGIf remote access is required, use VPNs or other secure tunneling methods rather than direct FTP access
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/668e0ab9-1a45-41ab-9fd6-0f83b2cdab62