Omron CX-One

Plan Patch7.8ICS-CERT ICSA-22-006-01Jan 6, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

CX-One versions 4.60 and earlier contain a stack-based buffer overflow vulnerability (CWE-121) that allows arbitrary code execution when a user processes a specially crafted file. The vulnerability is not remotely exploitable and requires local file access and user interaction to trigger. No public exploits are known at this time. Omron has released CX-Server version 5.0.29.2 as a fix, available through the CX-One auto-update service.

What this means

What could happen

An attacker could execute arbitrary code on an engineering workstation running CX-One through a malicious file or attachment, potentially allowing them to modify control logic, damage projects, or pivot to other systems on the network.

Who's at risk

Engineering teams and automation professionals using Omron CX-One on Windows workstations for PLC programming and project management. This affects users at water utilities, power plants, manufacturing facilities, and any site using Omron controllers for critical automation.

How it could be exploited

An attacker sends a malicious file (likely via email or social engineering) to a user with CX-One installed. When the user opens or interacts with the file using CX-One, the vulnerability is triggered, allowing arbitrary code execution on the workstation with the privileges of the logged-in user.

Prerequisites

CX-One version 4.60 or earlier installed on a Windows workstation
User interaction required: must open or process a malicious file in CX-One
Local or network access to deliver the malicious file to the target workstation

local code execution via malicious fileuser interaction requiredlow complexity attackaffects engineering workstations that may have network access to control systemsrequires social engineering

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

CX-One:≤ 4.60CX-Server 5.0.29.2

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDDo not click web links or open unsolicited attachments in email messages, especially files intended to be opened with CX-One

HARDENINGImplement email security controls to filter suspicious attachments and external links before they reach users

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CX-One to CX-Server version 5.0.29.2 or later using the CX-One auto-update service

CVEs (1)

CVE-2022-21137

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1146aca5-13ba-4dce-a4b4-fd24de097c41