OMRON CX-Programmer

Plan Patch7.8ICS-CERT ICSA-22-277-04Oct 4, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

CX-Programmer versions 9.78 and earlier contain a buffer overflow vulnerability (CWE-787) that could allow an attacker with local access to crash the application or execute arbitrary code if the user opens a malformed file or interacts with crafted input. Omron has released version 9.79 to address this issue.

What this means

What could happen

An attacker with local access to a machine running CX-Programmer could crash the engineering application or run arbitrary code with the privileges of the user, potentially compromising project files or configuration data used to program Omron PLCs.

Who's at risk

This affects engineers and technicians who use Omron CX-Programmer on Windows machines to develop and test control logic for Omron PLCs. Any organization using Omron automation equipment with older versions of CX-Programmer should update.

How it could be exploited

An attacker needs local access to a computer running CX-Programmer. They could trigger a buffer overflow (CWE-787) through a malformed input or file—for example, by crafting a project file or sending user interaction input that causes the application to execute arbitrary code or become unresponsive.

Prerequisites

Local access to the machine running CX-Programmer
User interaction required (the user must open a malformed file or interact with the application)
CX-Programmer version 9.78 or earlier

Buffer overflow vulnerabilityRequires user interactionLocal access onlyCould allow arbitrary code executionAffects engineering workstations

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

CX-Programmer:≤ 9.789.79

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGEducate users not to open untrusted project files or accept files from unknown sources on CX-Programmer machines

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CX-Programmer to version 9.79 or later via Omron's Auto Update Service

Long-term hardening

0/1

HARDENINGRestrict local access to engineering workstations running CX-Programmer to authorized personnel only

CVEs (3)

CVE-2022-3398 CVE-2022-3396 CVE-2022-3397

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3b9315db-8b57-4340-9ff8-b8b5c50e5c3a