OTPulse
FeedAboutContact

Omron CS/CJ Series

Monitor7.5ICS-CERT ICSA-23-108-01Apr 20, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Omron SYSMAC CS and CJ series PLCs contain a missing authentication vulnerability (CWE-306) that allows an attacker to access sensitive information in the file system and memory. The vulnerability affects all versions of multiple CPU models across the CS1D, CS1G, CS1H, CJ1G, and CJ2M/CJ2H product lines. Omron has not released a fix and states no patch is available.

What this means
What could happen
An attacker with network access to a SYSMAC PLC could read sensitive data from the device's file system and memory without credentials, including program logic, configuration data, and potentially security-critical information. This compromises the confidentiality of your control system and could allow an attacker to plan further attacks or extract intellectual property.
Who's at risk
Water and electric utilities, manufacturing plants, and any organization using Omron SYSMAC CS1D, CS1G, CS1H, CJ1G, CJ2H, or CJ2M series PLCs should be concerned. These devices are commonly used to control critical processes including pump stations, motor drives, process setpoints, and safety interlocks. Any facility with networked SYSMAC PLCs is affected.
How it could be exploited
An attacker on your network sends an unauthenticated FINS protocol request to the PLC on port 9600 (or another FINS port). Because the device lacks proper authentication checks, the PLC responds with sensitive information from its file system or memory. No credentials or special configuration is required.
Prerequisites
  • Network access to FINS port (default 9600)
  • FINS protocol enabled on the target PLC
  • No previous authentication or credentials needed
remotely exploitableno authentication requiredlow complexityno patch availableaffects control systems
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (11)
11 EOL
ProductAffected VersionsFix Status
SYSMAC CJ2H-CPU6[]-EIP: all versionsAll versionsNo fix (EOL)
SYSMAC CJ2H-CPU6[]: all versionsAll versionsNo fix (EOL)
SYSMAC CJ2M-CPU[][]: all versionsAll versionsNo fix (EOL)
SYSMAC CJ1G-CPU[][]P: all versionsAll versionsNo fix (EOL)
SYSMAC CS1H-CPU[][]H: all versionsAll versionsNo fix (EOL)
SYSMAC CS1G-CPU[][]H: all versionsAll versionsNo fix (EOL)
SYSMAC CS1D-CPU[][]HA: all versionsAll versionsNo fix (EOL)
SYSMAC CS1D-CPU[][]H: all versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/8
Do now
0/2
HARDENINGEnable FINS write protection function on all SYSMAC devices
HARDENINGRestrict access to FINS port 9600 using firewall rules; allow only authorized engineering workstations and control systems
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HARDENINGIsolate SYSMAC control systems from the IT network; do not allow direct connections from office networks or the internet
HARDENINGDisable or shut down any unused FINS communication ports on the PLCs
HARDENINGImplement a VPN for any remote access to SYSMAC devices; do not allow direct internet exposure
HARDENINGUse strong passwords on all SYSMAC devices and change them frequently; enforce multifactor authentication where possible
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: SYSMAC CJ2H-CPU6[]-EIP: all versions, SYSMAC CJ2H-CPU6[]: all versions, SYSMAC CJ2M-CPU[][]: all versions, SYSMAC CJ1G-CPU[][]P: all versions, SYSMAC CS1H-CPU[][]H: all versions, SYSMAC CS1G-CPU[][]H: all versions, SYSMAC CS1D-CPU[][]HA: all versions, SYSMAC CS1D-CPU[][]H: all versions, SYSMAC CS1D-CPU[][]SA: all versions, SYSMAC CS1D-CPU[][]S: all versions, SYSMAC CS1D-CPU[][]P: all versions. Apply the following compensating controls:
HARDENINGImplement physical access controls to SYSMAC devices; restrict USB and portable media to prevent unauthorized firmware updates or data extraction
HARDENINGMaintain regular data backups of PLC configuration and programs; validate backups to prepare for potential data loss
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/987d87cf-ffbb-4012-93a2-6d0b1d84c3d6