Omron CJ1M PLC

Plan PatchCVSS 9.1ICS-CERT ICSA-23-073-01Mar 31, 2023

OmronManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Omron CJ, CS, and CP series PLCs contain a memory protection bypass vulnerability (CWE-284) that allows an attacker to write to specific memory addresses, overwrite passwords, and block engineers from accessing their own memory regions. Affected products include CJ2H-CPU6, CJ1G-CPU, CS1H-CPU, CS1G-CPU, CS1D-CPU, CP2E, CP1H, CP1L, and CP1E series. No patch is available from the vendor. The vulnerability is remotely exploitable over FINS protocol with no authentication required when the device is network-accessible.

What this means

What could happen

An attacker with network access to your PLC could bypass memory protections and overwrite program logic or authentication credentials, potentially causing unauthorized changes to process setpoints, disabling safety interlocks, or locking legitimate engineers out of the device. Because no patch is available, this risk is permanent without network isolation.

Who's at risk

Manufacturing facilities using Omron PLC platforms for process control should prioritize this immediately. Affected equipment includes all CJ series (CJ2H-CPU6, CJ1G-CPU), CS series (CS1H-CPU, CS1G-CPU, CS1D-CPU), and CP series (CP2E, CP1H, CP1L, CP1E) controllers. Organizations running discrete manufacturing, chemical processing, water treatment, or other continuous-operation environments where unauthorized PLC modifications could affect product quality or safety are particularly at risk.

How it could be exploited

An attacker sends crafted FINS protocol packets (port 9600) to the PLC containing memory write commands targeting protected memory regions. If the PLC is reachable from the network and FINS write protection is not enabled, the attacker can directly overwrite memory addresses containing passwords or program logic without providing credentials.

Prerequisites

Network access to FINS port 9600 on the PLC
FINS write protection function not enabled
IP-based access protection not configured

remotely exploitableno authentication requiredlow complexityno patch availableaffects control logic and safety interlocksno known public exploits but vulnerability characteristics make exploitation straightforward

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (23)

6 pending17 EOL

ProductAffected VersionsFix Status

CJ2M-CPU □ □: All versionsAll versionsNo fix yet

CS1D-CPU □ □ HA: All versionsAll versionsNo fix yet

CS1D-CPU □ □ H: All versionsAll versionsNo fix yet

CS1D-CPU □ □ SA: All versionsAll versionsNo fix yet

CS1D-CPU □ □ S: All versionsAll versionsNo fix yet

Remediation & Mitigation

0/10

Do now

0/6

HARDENINGEnable the hardware DIP switch on the front panel of the CPU Unit to prohibit writing to User Memory (UM)

HARDENINGSet a User Memory (UM) read protection password and enable the 'Prohibit from overwriting to a protected program' option in the PLC configuration

WORKAROUNDEnable the FINS write protection function and restrict FINS writes by IP address

WORKAROUNDConfigure firewall rules to block access to FINS port 9600 from untrusted networks and close all unused communication ports

HARDENINGIsolate all affected PLC networks from your IT network and the Internet; place them behind a firewall with no direct external connectivity

HARDENINGScan all USB drives and external media for malware before connecting them to systems with PLC access

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGUse a Virtual Private Network (VPN) for any remote access to these PLC systems

HARDENINGEnforce multifactor authentication on all devices that have remote access to these PLCs

HARDENINGEnsure all engineering workstations with PLC access have current antivirus and malware protection installed and maintained

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: CJ2H-CPU6 □ -EIP: All versions, CJ2H-CPU6 □: All versions, CJ1G-CPU □ □ P: All versions, CS1H-CPU □ □ H: All versions, CS1G-CPU □ □ H: All versions, CP2E-E □ □ D □ - □: All versions, CP2E-S □ □ D □- □: All versions, CP2E-N □ □ D □ - □: All versions, CP1H-X40D □ - □: All versions, CP1H-XA40D □ - □: All versions, CP1H-Y20DT-D: All versions, CP1L-EL20D □ - □: All versions, CP1L-EM □ □ D □ - □: All versions, CP1L-L □ □ D □- □: All versions, CP1L-M □ □ D □ - □: All versions, CP1E-E □ □ D □ - □: All versions, CP1E-NA □ □ D □ - □: All versions. Apply the following compensating controls:

HARDENINGPerform regular backups of PLC programs and configuration data to enable recovery in case of unauthorized memory modification

CVEs (1)

CVE-2023-0811

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3802a7f7-c3d0-4fac-b8a1-9026aaaf0f55

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.