Omron SYSMAC CS/CJ/CP Series and NJ/NX Series

Monitor6.5ICS-CERT ICSA-22-179-02Jun 28, 2022

Summary

Multiple vulnerabilities in Omron SYSMAC controllers (CS, CJ, CP, and NJ/NX series) and related programming/communication devices allow remote code execution and denial-of-service via weak password protections, insecure communication protocols without encryption, and lack of authentication enforcement on critical functions. Affected products include CP1W-CIF41 Ethernet interface, CX-Programmer engineering software, and all major SYSMAC PLC families. Vulnerabilities stem from unencrypted credentials transmission, missing or bypassable authentication on firmware uploads, and hardcoded or default password mechanisms.

What this means

What could happen

An attacker on your network could modify PLC programs, upload malicious firmware, or cause PLCs to stop responding, disrupting production equipment control and process automation. This is particularly serious for CP1W-CIF41 and CJ/CX-series controllers where there is no vendor fix available.

Who's at risk

Manufacturing facilities operating Omron SYSMAC PLC systems (CS1, CJ2H, CJ2M, CP1E/CP1H, CP1L, NJ/NX series) and those using CP1W-CIF41 Ethernet interface boards for remote monitoring or control. Also affects any site using CX-Programmer engineering software for PLC programming and commissioning. This includes discrete manufacturing, process automation, and assembly lines.

How it could be exploited

An attacker with network access to a SYSMAC controller or CX-Programmer workstation can intercept unencrypted password traffic, bypass weak authentication on program upload functions, or exploit missing password protection to upload unauthorized PLC programs or firmware. The attacker sends crafted packets to port 9600 (FINS protocol) or exploits the programming port without proper credential validation, allowing remote code execution on the controller.

Prerequisites

Network access to the PLC on port 9600 (FINS protocol) or to the engineering workstation running CX-Programmer
For CP1W-CIF41: network access to the Ethernet interface board default or weak credentials
For firmware upload exploits: ability to send crafted FINS protocol packets; no valid engineering credentials required for some variants
PLC must not have optional password protection or DIP switches enabled (these are optional protections, not default)

Remotely exploitable via FINS protocol without encryptionNo authentication required for some attack paths (firmware upload, program changes)No vendor patch available for CP1W-CIF41 (all versions) or several CJ/CP product linesActively exploitable without public exploit code (CVSS 6.5, EPSS 0.2% reflects low current exploit probability but not low inherent risk)Affects safety-critical industrial controllersUnencrypted credential transmission (CWE-319)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (8)

7 with fix1 EOL

ProductAffected VersionsFix Status

CP1W-CIF41: All versionsAll versionsNo fix (EOL)

SYSMAC CJ2H:< 1.51.5

SYSMAC CP1E/CP1H:< 1.301.30

SYSMAC CP1L:< 1.101.10

SYSMAC CS1:< 4.14.1

SYSMAC CX-Programmer:< 9.69.6

SYSMAC CJ2M:< 2.12.1

SYSMAC NJ/NX Series:< 1.49 (1.29 for NX7)1.49 (1.29 for NX7)

Remediation & Mitigation

0/14

Do now

0/6

HARDENINGEnable the extended password protection function on all SYSMAC CS/CJ/CP controllers to enforce strong authentication on program uploads and access

HARDENINGSet and enforce protection passwords on all SYSMAC CS/CJ/CP controllers and enable protection against unauthorized write access

HARDENINGEnable hardware DIP switches on all SYSMAC PLCs to prevent unauthorized program changes regardless of password state

HARDENINGUse different and complex passwords for CP1W-CIF41 Ethernet interface board and the CP1 PLC itself; do not rely on Web UI password for PLC access control

HARDENINGRestrict network access to SYSMAC controllers and programming workstations to authorized engineering stations only via firewall rules

HARDENINGIf remote access to engineering workstations is required, use VPN with current patches; do not expose CX-Programmer or FINS ports to the Internet

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SYSMAC CJ2H to version 1.5 or later

HOTFIXUpgrade SYSMAC CJ2M to version 2.1 or later

HOTFIXUpgrade SYSMAC CP1E/CP1H to version 1.30 or later

HOTFIXUpgrade SYSMAC CP1L to version 1.10 or later

HOTFIXUpgrade SYSMAC CS1 to version 4.1 or later

HOTFIXUpgrade CX-Programmer to version 9.6 or higher

HOTFIXUpgrade SYSMAC NJ/NX Series to version 1.49 or later (1.29 or later for NX7 models)

Mitigations - no patch available

0/1

CP1W-CIF41: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment SYSMAC control system networks from the business network using firewalls and industrial DMZs

CVEs (4)

CVE-2022-31204 CVE-2022-31205 CVE-2022-31207 CVE-2022-31206

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close