Omron CX-One

Plan Patch7.8ICS-CERT ICSA-21-007-02Jan 7, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Omron CX-One contains memory corruption vulnerabilities (CWE-822, CWE-121, CWE-843) in CX-Server, CX-Protocol, and CX-Position components. These vulnerabilities are triggered through local file interaction and require user interaction (opening a malicious file or link). Affected versions: CX-Server <= 5.0.28, CX-Protocol <= 2.02, CX-Position <= 2.52.

What this means

What could happen

An attacker could gain unauthorized access to sensitive engineering data or execute commands on an engineering workstation running CX-One, potentially allowing modification of industrial control system configurations or programs.

Who's at risk

Engineering teams and operators at industrial facilities using Omron CX-One software should care about this vulnerability. CX-One is the main configuration and programming tool for Omron programmable logic controllers (PLCs) and industrial automation devices. Affected sectors include water/wastewater treatment, electric power, chemical processing, and discrete manufacturing.

How it could be exploited

An attacker sends a malicious file or social engineering email to an engineer or operator. When the recipient opens the file in CX-One, memory corruption occurs, allowing code execution on the workstation with the privileges of the CX-One user. The attacker could then access ICS project files or deploy malicious configurations.

Prerequisites

User must be logged into the engineering workstation running CX-One
User must be tricked into opening a malicious file attachment or clicking a link
Local access to the CX-One application or filesystem
CX-One software must be installed and active

Requires user interaction (social engineering vector)Local code execution on engineering workstationAffects confidentiality and integrity of ICS configurationsMemory corruption vulnerabilities (high severity if exploited)Engineering workstations may have direct access to control systems

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

CX-Server:≤ 5.0.285.0.29

CX-Protocol:≤ 2.022.03

CX-Position:≤ 2.522.53

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDTrain engineering staff to avoid opening unsolicited email attachments and clicking untrusted links; enforce email security policies

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CX-Protocol to version 2.03 or later via CX-One auto-update service

HOTFIXUpdate CX-Server to version 5.0.29 or later via CX-One auto-update service

HOTFIXUpdate CX-Position to version 2.53 or later via CX-One auto-update service

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate engineering workstations from production networks and limit their internet access

HARDENINGUse email filtering and antivirus software on engineering workstations to block malicious files

CVEs (3)

CVE-2020-27259 CVE-2020-27261 CVE-2020-27257

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5eca8c94-a773-4bde-8105-8c6e84333ff4