Omron CX-One

Plan Patch7.8ICS-CERT ICSA-21-131-01May 11, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

CX-One and CX-Server contain a buffer overflow or memory corruption vulnerability (CWE-121) that allows arbitrary code execution if a user opens a specially crafted file or attachment on a machine running the software. The vulnerability requires local access and user interaction; it is not exploitable remotely. Successful exploitation could allow an attacker to run commands with the privileges of the application user, potentially leading to modification of PLC programs, control logic, or access to sensitive engineering data.

What this means

What could happen

An attacker with local access to a machine running CX-One or CX-Server could execute arbitrary code with the privileges of the user running the application, potentially compromising engineering workstations and allowing modification of PLC programs or settings.

Who's at risk

This vulnerability affects organizations using Omron's CX-One or CX-Server software, which are commonly used for programming and configuring Omron PLCs and automation controllers in water treatment, wastewater, power generation, and industrial manufacturing facilities. Engineering and IT staff responsible for maintaining PLC programs and control logic should prioritize this issue.

How it could be exploited

An attacker must trick a user into opening a malicious file or email attachment on a machine where CX-One or CX-Server is installed. The vulnerability likely involves a buffer overflow or memory corruption issue triggered during file parsing. Once exploited, the attacker can run arbitrary code in the context of the application user.

Prerequisites

Local access to a machine running CX-One version 4.60 or earlier, or CX-Server version 5.0.29.0 or earlier
User interaction required: victim must open a malicious file or attachment
No special credentials or elevated privileges needed before exploitation

Local access required (reduces immediate risk but high risk for insider or physical access attacks)User interaction required (social engineering vector via email)Arbitrary code execution possibleAffects engineering workstations (direct access to control logic)

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

CX-Server:≤ 5.0.29.05.0.29.1

CX-One:≤ 4.60No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDo not open unsolicited email attachments or click untrusted web links, especially on engineering workstations where CX-One is installed

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CX-Server to version 5.0.29.1 or later using the auto-update service

Mitigations - no patch available

0/2

CX-One: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict local access to engineering workstations running CX-One and CX-Server to trusted personnel only

HARDENINGImplement network segmentation to isolate engineering workstations from general corporate networks and untrusted systems

CVEs (1)

CVE-2021-27413

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8970d106-d94e-4ce7-a68b-9dcb1ec27bfc