OTPulse
FeedAboutContact

Omron CJ1M PLC

Act Now9.1ICS-CERT ICSA-23-073-01Mar 31, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Omron CJ, CS, and CP series PLCs contain a memory protection bypass vulnerability (CWE-284) that allows an attacker to write to specific memory addresses, overwrite passwords, and block engineers from accessing their own memory regions. Affected products include CJ2H-CPU6, CJ1G-CPU, CS1H-CPU, CS1G-CPU, CS1D-CPU, CP2E, CP1H, CP1L, and CP1E series. No patch is available from the vendor. The vulnerability is remotely exploitable over FINS protocol with no authentication required when the device is network-accessible.

What this means
What could happen
An attacker with network access to your PLC could bypass memory protections and overwrite program logic or authentication credentials, potentially causing unauthorized changes to process setpoints, disabling safety interlocks, or locking legitimate engineers out of the device. Because no patch is available, this risk is permanent without network isolation.
Who's at risk
Manufacturing facilities using Omron PLC platforms for process control should prioritize this immediately. Affected equipment includes all CJ series (CJ2H-CPU6, CJ1G-CPU), CS series (CS1H-CPU, CS1G-CPU, CS1D-CPU), and CP series (CP2E, CP1H, CP1L, CP1E) controllers. Organizations running discrete manufacturing, chemical processing, water treatment, or other continuous-operation environments where unauthorized PLC modifications could affect product quality or safety are particularly at risk.
How it could be exploited
An attacker sends crafted FINS protocol packets (port 9600) to the PLC containing memory write commands targeting protected memory regions. If the PLC is reachable from the network and FINS write protection is not enabled, the attacker can directly overwrite memory addresses containing passwords or program logic without providing credentials.
Prerequisites
  • Network access to FINS port 9600 on the PLC
  • FINS write protection function not enabled
  • IP-based access protection not configured
remotely exploitableno authentication requiredlow complexityno patch availableaffects control logic and safety interlocksno known public exploits but vulnerability characteristics make exploitation straightforward
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (23)
6 pending17 EOL
ProductAffected VersionsFix Status
CJ2M-CPU □ □: All versionsAll versionsNo fix yet
CS1D-CPU □ □ HA: All versionsAll versionsNo fix yet
CS1D-CPU □ □ H: All versionsAll versionsNo fix yet
CS1D-CPU □ □ SA: All versionsAll versionsNo fix yet
CS1D-CPU □ □ S: All versionsAll versionsNo fix yet
Remediation & Mitigation
0/10
Do now
0/6
HARDENINGEnable the hardware DIP switch on the front panel of the CPU Unit to prohibit writing to User Memory (UM)
HARDENINGSet a User Memory (UM) read protection password and enable the 'Prohibit from overwriting to a protected program' option in the PLC configuration
WORKAROUNDEnable the FINS write protection function and restrict FINS writes by IP address
WORKAROUNDConfigure firewall rules to block access to FINS port 9600 from untrusted networks and close all unused communication ports
HARDENINGIsolate all affected PLC networks from your IT network and the Internet; place them behind a firewall with no direct external connectivity
HARDENINGScan all USB drives and external media for malware before connecting them to systems with PLC access
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HARDENINGUse a Virtual Private Network (VPN) for any remote access to these PLC systems
HARDENINGEnforce multifactor authentication on all devices that have remote access to these PLCs
HARDENINGEnsure all engineering workstations with PLC access have current antivirus and malware protection installed and maintained
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: CJ2H-CPU6 □ -EIP: All versions, CJ2H-CPU6 □: All versions, CJ1G-CPU □ □ P: All versions, CS1H-CPU □ □ H: All versions, CS1G-CPU □ □ H: All versions, CP2E-E □ □ D □ - □: All versions, CP2E-S □ □ D □- □: All versions, CP2E-N □ □ D □ - □: All versions, CP1H-X40D □ - □: All versions, CP1H-XA40D □ - □: All versions, CP1H-Y20DT-D: All versions, CP1L-EL20D □ - □: All versions, CP1L-EM □ □ D □ - □: All versions, CP1L-L □ □ D □- □: All versions, CP1L-M □ □ D □ - □: All versions, CP1E-E □ □ D □ - □: All versions, CP1E-NA □ □ D □ - □: All versions. Apply the following compensating controls:
HARDENINGPerform regular backups of PLC programs and configuration data to enable recovery in case of unauthorized memory modification
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3802a7f7-c3d0-4fac-b8a1-9026aaaf0f55
Omron CJ1M PLC | CVSS 9.1 - OTPulse