Yokogawa CENTUM and Exaopc
Plan Patch8.6ICS-CERT ICSA-22-083-01Mar 24, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Multiple vulnerabilities in CENTUM and Exaopc CAMS server functions (CWE-798, CWE-78, CWE-285, CWE-427, CWE-23, CWE-117) allow local attackers to suppress alarms, read or write files, crash the server, or execute arbitrary code. Affected versions include CENTUM CS 3000 (R3.08.10–R3.09.00, R4.01.00–R4.03.00, R5.01.00–R5.04.20, R6.01.00–R6.08.00), Exaopc (R3.72.00–R3.79.00), B/M9000CS (R5.04.01–R5.05.01), and B/M9000 VP (R6.01.01–R8.03.01). Vendor indicates no patch is currently available.
What this means
What could happen
An attacker with local access to a CENTUM or Exaopc system could suppress safety alarms, read or modify control files, crash the monitoring server, or execute arbitrary commands on the system. This could enable undetected changes to process setpoints, bypass safety interlocks, or cause uncontrolled shutdown of operations.
Who's at risk
Manufacturing plants and utilities operating Yokogawa CENTUM or Exaopc distributed control systems (DCS) are affected. This includes operators of CENTUM CS 3000 Entry Class systems, B/M9000CS, B/M9000 VP, and Exaopc monitoring stations. Any organization relying on CENTUM for process monitoring, alarm management, or safety-critical functions should assess their exposure.
How it could be exploited
An attacker with local user access to a workstation running CENTUM or Exaopc could exploit vulnerabilities in the CAMS server to execute arbitrary code, read sensitive files, or write malicious configuration files. The attack chain likely involves crafted input to CAMS server functions to bypass access controls and execute system commands.
Prerequisites
- Local access to a CENTUM or Exaopc workstation
- User-level account on the affected system
- Ability to interact with CAMS server functions (via GUI or direct access)
No authentication required for local exploitationLow attack complexityNo patch available from vendorAffects safety-critical alarm functionsArbitrary code execution possible
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (7)
6 pending1 EOL
ProductAffected VersionsFix Status
CENTUM and Exaopc - R4.01.00 - R4.03.00≥ R4.01.00 | ≤ R4.03.00No fix yet
CENTUM and Exaopc - R5.01.00 - R5.04.20≥ R5.01.00 | ≤ R5.04.20No fix yet
CENTUM and Exaopc - CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class): R3.08.10 - R3.09.00≥ R3.08.10 | ≤ R3.09.00No fix (EOL)
CENTUM and Exaopc - R6.01.00 - R6.08.00≥ R6.01.00 | ≤ R6.08.00No fix yet
CENTUM and Exaopc - Exaopc: (R3.72.00 - R3.79.00)≥ R3.72.00 | ≤ R3.79.00No fix yet
CENTUM and Exaopc - B/M9000CS: (R5.04.01 - R5.05.01)≥ R5.04.01 | ≤ R5.05.01No fix yet
CENTUM and Exaopc - B/M9000 VP: (R6.01.01 - R8.03.01)≥ R6.01.01 -| ≤ R8.03.01No fix yet
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDDisable or restrict CAMS server functions if not required for operations; document which CAMS features are actively used
HOTFIXContact Yokogawa technical support to confirm if any security patches or firmware updates are available for your specific CENTUM/Exaopc version
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor CENTUM and Exaopc systems for unexpected CAMS server crashes, alarm suppression events, or unauthorized file modifications
Mitigations - no patch available
0/2CENTUM and Exaopc - CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class): R3.08.10 - R3.09.00 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment CENTUM and Exaopc systems from untrusted networks using firewall rules and VLANs; restrict local access to engineering workstations to authorized personnel only
HARDENINGApply principle of least privilege: ensure users running CENTUM/Exaopc operate with standard user accounts, not administrator/root privileges
CVEs (7)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d7d58f77-44b7-4226-bca5-98bdfe39cee3