Search
Find a vulnerability
Search criteria
92 vulnerabilities by OMRON Corporation
JVNDB-2025-008881
Vulnerability from jvndb - Published: 2025-07-15 15:54 - Updated:2025-07-15 15:54
Severity
Summary
Least Privilege Violation Vulnerability in the communications functions of NJ/NX series Machine Automation Controllers
Details
Least privilege violation vulnerability (CWE-272) exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software provided by OMRON Corporation. - CVE-2025-1384
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-008881.html",
"dc:date": "2025-07-15T15:54+09:00",
"dcterms:issued": "2025-07-15T15:54+09:00",
"dcterms:modified": "2025-07-15T15:54+09:00",
"description": "Least privilege violation vulnerability (CWE-272) exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software provided by OMRON Corporation. - CVE-2025-1384\r\n\r\nOMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-008881.html",
"sec:cpe": [
{
"#text": "cpe:/a:omron:automation_software_sysmac_studio",
"@product": "Automation software \"Sysmac Studio\"",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:machine_automation_controller_nj_series",
"@product": "Machine automation controller NJ series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:machine_automation_controller_nx_series",
"@product": "Machine automation controller NX series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "7.0",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-008881",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU96149970/index.html",
"@id": "JVNVU#96149970",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-1384",
"@id": "CVE-2025-1384",
"@source": "CVE"
},
{
"#text": "https://cwe.mitre.org/data/definitions/272.html",
"@id": "CWE-272",
"@title": "Least Privilege Violation(CWE-272)"
}
],
"title": "Least Privilege Violation Vulnerability in the communications functions of NJ/NX series Machine Automation Controllers"
}
JVNDB-2025-001562
Vulnerability from jvndb - Published: 2025-02-18 16:24 - Updated:2025-02-18 16:24
Severity
Summary
Out-of-bounds read vulnerability in OMRON CX-Programmer
Details
CX-Programmer provided by OMRON Corporation contains an out-of-bounds read vulnerability (CWE-125, CVE-2025-0591).
Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-001562.html",
"dc:date": "2025-02-18T16:24+09:00",
"dcterms:issued": "2025-02-18T16:24+09:00",
"dcterms:modified": "2025-02-18T16:24+09:00",
"description": "CX-Programmer provided by OMRON Corporation contains an out-of-bounds read vulnerability (CWE-125, CVE-2025-0591).\r\n\r\nMichael Heinzl reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-001562.html",
"sec:cpe": {
"#text": "cpe:/a:omron:cx-one",
"@product": "CX-One",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-001562",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU92320053/",
"@id": "JVNVU#92320053",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-0591",
"@id": "CVE-2025-0591",
"@source": "CVE"
},
{
"#text": "https://cwe.mitre.org/data/definitions/125.html",
"@id": "CWE-125",
"@title": "Out-of-bounds Read(CWE-125)"
}
],
"title": "Out-of-bounds read vulnerability in OMRON CX-Programmer"
}
JVNDB-2025-001016
Vulnerability from jvndb - Published: 2025-02-06 18:27 - Updated:2025-05-08 17:44
Severity
Summary
OMRON NJ/NX series vulnerable to path traversal
Details
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-12083).
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
References
| Type | URL | |
|---|---|---|
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-001016.html",
"dc:date": "2025-05-08T17:44+09:00",
"dcterms:issued": "2025-02-06T18:27+09:00",
"dcterms:modified": "2025-05-08T17:44+09:00",
"description": "Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-12083).\r\n\r\nOMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-001016.html",
"sec:cpe": [
{
"#text": "cpe:/a:omron:machine_automation_controller_nj_series",
"@product": "Machine automation controller NJ series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:machine_automation_controller_nx_series",
"@product": "Machine automation controller NX series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "6.6",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-001016",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU96335720/index.html",
"@id": "JVNVU#96335720",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-12083",
"@id": "CVE-2024-12083",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
}
],
"title": "OMRON NJ/NX series vulnerable to path traversal"
}
JVNDB-2025-001018
Vulnerability from jvndb - Published: 2025-02-06 18:26 - Updated:2025-02-06 18:26
Severity
Summary
Improper restriction of XML external entity reference (XXE) vulnerability in OMRON NB-Designer
Details
NB-Designer provided by OMRON Corporation contains an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611, CVE-2024-12298).
Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-001018.html",
"dc:date": "2025-02-06T18:26+09:00",
"dcterms:issued": "2025-02-06T18:26+09:00",
"dcterms:modified": "2025-02-06T18:26+09:00",
"description": "NB-Designer provided by OMRON Corporation contains an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611, CVE-2024-12298).\r\n\r\nMichael Heinzl reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-001018.html",
"sec:cpe": {
"#text": "cpe:/o:omron:nb-designer",
"@product": "NB-Designer",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.5",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-001018",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU98734299/index.html",
"@id": "JVNVU#98734299",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-12298",
"@id": "CVE-2024-12298",
"@source": "CVE"
},
{
"#text": "https://cwe.mitre.org/data/definitions/611.html",
"@id": "CWE-611",
"@title": "Improper Restriction of XML External Entity Reference(CWE-611)"
}
],
"title": "Improper restriction of XML external entity reference (XXE) vulnerability in OMRON NB-Designer"
}
JVNDB-2024-011833
Vulnerability from jvndb - Published: 2024-11-05 15:29 - Updated:2024-11-05 15:29
Severity
Summary
Incorrect authorization vulnerability in OMRON Sysmac Studio
Details
Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability (CWE-863, CVE-2024-49501).
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC coordinated with OMRON Corporation for the JVN advisory publication.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-011833.html",
"dc:date": "2024-11-05T15:29+09:00",
"dcterms:issued": "2024-11-05T15:29+09:00",
"dcterms:modified": "2024-11-05T15:29+09:00",
"description": "Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability (CWE-863, CVE-2024-49501).\r\n\r\nOMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC coordinated with OMRON Corporation for the JVN advisory publication.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-011833.html",
"sec:cpe": {
"#text": "cpe:/a:omron:sysmac-se2",
"@product": "SYSMAC-SE2[][][]",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-011833",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU95685374/index.html",
"@id": "JVNVU#95685374",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-49501",
"@id": "CVE-2024-49501",
"@source": "CVE"
},
{
"#text": "https://cwe.mitre.org/data/definitions/863.html",
"@id": "CWE-863",
"@title": "Incorrect Authorization(CWE-863)"
}
],
"title": "Incorrect authorization vulnerability in OMRON Sysmac Studio"
}
JVNDB-2024-003242
Vulnerability from jvndb - Published: 2024-05-28 12:28 - Updated:2024-07-26 16:27
Severity
Summary
OMRON NJ/NX series vulnerable to insufficient verification of data authenticity
Details
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain an issue with insufficient verification of data authenticity (CWE-345).
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
References
| Type | URL | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003242.html",
"dc:date": "2024-07-26T16:27+09:00",
"dcterms:issued": "2024-05-28T12:28+09:00",
"dcterms:modified": "2024-07-26T16:27+09:00",
"description": "Machine Automation Controller NJ/NX series provided by OMRON Corporation contain an issue with insufficient verification of data authenticity (CWE-345).\r\n\r\nOMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003242.html",
"sec:cpe": [
{
"#text": "cpe:/a:omron:machine_automation_controller_nj_series",
"@product": "Machine automation controller NJ series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:machine_automation_controller_nx_series",
"@product": "Machine automation controller NX series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-003242",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU92504444/index.html",
"@id": "JVNVU#92504444",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-33687",
"@id": "CVE-2024-33687",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2024-33687",
"@id": "CVE-2024-33687",
"@source": "NVD"
},
{
"#text": "https://cwe.mitre.org/data/definitions/345.html",
"@id": "CWE-345",
"@title": "Insufficient Verification of Data Authenticity(CWE-345)"
}
],
"title": "OMRON NJ/NX series vulnerable to insufficient verification of data authenticity"
}
JVNDB-2024-003116
Vulnerability from jvndb - Published: 2024-04-24 10:13 - Updated:2024-04-24 10:13
Severity
Summary
Multiple vulnerabilities in OMRON Sysmac Studio/CX-One and CX-Programmer
Details
OMRON Sysmac Studio/CX-One and CX-Programmer contain multiple vulnerabilities listed below.
* Out-of-bounds read (CWE-125) - CVE-2024-31412
* Free of pointer not at start of buffer (CWE-761) - CVE-2024-31413
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
References
| Type | URL | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003116.html",
"dc:date": "2024-04-24T10:13+09:00",
"dcterms:issued": "2024-04-24T10:13+09:00",
"dcterms:modified": "2024-04-24T10:13+09:00",
"description": "OMRON Sysmac Studio/CX-One and CX-Programmer contain multiple vulnerabilities listed below.\r\n\r\n * Out-of-bounds read (CWE-125) - CVE-2024-31412\r\n\r\n * Free of pointer not at start of buffer (CWE-761) - CVE-2024-31413\r\n\r\nMichael Heinzl reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003116.html",
"sec:cpe": [
{
"#text": "cpe:/a:omron:cx-one",
"@product": "CX-One",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:cx-programmer",
"@product": "CX-Programmer",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:sysmac_studio",
"@product": "Sysmac Studio",
"@vendor": "OMRON Corporation",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-003116",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU98274902/index.html",
"@id": "JVNVU#98274902",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-31412",
"@id": "CVE-2024-31412",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-31413",
"@id": "CVE-2024-31413",
"@source": "CVE"
},
{
"#text": "https://cwe.mitre.org/data/definitions/125.html",
"@id": "CWE-125",
"@title": "Out-of-bounds Read(CWE-125)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/761.html",
"@id": "CWE-761",
"@title": "Free of Pointer not at Start of Buffer(CWE-761)"
}
],
"title": "Multiple vulnerabilities in OMRON Sysmac Studio/CX-One and CX-Programmer"
}
JVNDB-2024-002942
Vulnerability from jvndb - Published: 2024-03-08 14:16 - Updated:2024-03-08 14:16
Severity
Summary
OMRON NJ/NX series vulnerable to path traversal
Details
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-27121).
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
References
| Type | URL | |
|---|---|---|
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-002942.html",
"dc:date": "2024-03-08T14:16+09:00",
"dcterms:issued": "2024-03-08T14:16+09:00",
"dcterms:modified": "2024-03-08T14:16+09:00",
"description": "Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-27121).\r\n\r\nOMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-002942.html",
"sec:cpe": [
{
"#text": "cpe:/a:omron:machine_automation_controller_nj_series",
"@product": "Machine automation controller NJ series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:omron:machine_automation_controller_nx_series",
"@product": "Machine automation controller NX series",
"@vendor": "OMRON Corporation",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "7.2",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-002942",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU95852116/index.html",
"@id": "JVNVU#95852116",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-27121",
"@id": "CVE-2024-27121",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
}
],
"title": "OMRON NJ/NX series vulnerable to path traversal"
}
JVNDB-2023-003956
Vulnerability from jvndb - Published: 2023-10-24 16:11 - Updated:2024-05-10 17:47
Severity
Summary
Improper restriction of XML external entity reference (XXE) vulnerability in OMRON CX-Designer
Details
CX-Designer provided by OMRON Corporation contains an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611).
Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
References
| Type | URL | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-003956.html",
"dc:date": "2024-05-10T17:47+09:00",
"dcterms:issued": "2023-10-24T16:11+09:00",
"dcterms:modified": "2024-05-10T17:47+09:00",
"description": "CX-Designer provided by OMRON Corporation contains an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611).\r\n\r\nMichael Heinzl reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-003956.html",
"sec:cpe": {
"#text": "cpe:/a:omron:cx-designer",
"@product": "CX-Designer",
"@vendor": "OMRON Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.5",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2023-003956",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU98683567/",
"@id": "JVNVU#98683567",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-43624",
"@id": "CVE-2023-43624",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-43624",
"@id": "CVE-2023-43624",
"@source": "NVD"
},
{
"#text": "https://cwe.mitre.org/data/definitions/611.html",
"@id": "CWE-611",
"@title": "Improper Restriction of XML External Entity Reference(CWE-611)"
}
],
"title": "Improper restriction of XML external entity reference (XXE) vulnerability in OMRON CX-Designer"
}
CVE-2025-1384 (GCVE-0-2025-1384)
Vulnerability from nvd – Published: 2025-07-13 23:42 – Updated: 2025-07-14 14:15
VLAI
Title
Least Privilege Violation Vulnerability in the communications functions of NJ/NX-series Machine Automation Controllers
Summary
Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-272 - Least Privilege Violation
Assigner
References
Impacted products
15 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T14:14:22.828617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T14:15:23.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"packageName": "NJ101-[][][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ101-[][][][] Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ301-1[]00",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ301-1[]00 Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]00",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]00 Ver.1.67.02 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]20",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]20 Ver.1.68.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1340",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1340 Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-4[][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-4[][][] Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-5300",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-5300 Ver.1.67.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-R[]00",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[]00 Ver.1.67.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-R[]20",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[]20 Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX102-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][][][] Ver.1.68.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][] Ver.1.64.09 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]1",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][]1 Ver.1.64.09 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX502-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX502-[][][][] Ver.1.68.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX701-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX701-[][][][] Ver.1.35.09 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "SYSMAC-SE2[][][]",
"product": "Sysmac Studio Software",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "SYSMAC-SE2[][][] all"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"value": "Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-272",
"description": "CWE-272 Least Privilege Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-13T23:42:09.953Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-004_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-004_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The countermeasure against the vulnerability can be implemented by updating each product to the countermeasure version and setting the secure communication version 2.\u003cbr\u003eFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors. \u003cbr\u003e"
}
],
"value": "The countermeasure against the vulnerability can be implemented by updating each product to the countermeasure version and setting the secure communication version 2.\nFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors."
}
],
"source": {
"advisory": "OMSR-2025-004",
"discovery": "UNKNOWN"
},
"title": "Least Privilege Violation Vulnerability in the communications functions of NJ/NX-series Machine Automation Controllers",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of this vulnerability.\u003cbr\u003e\u003cbr\u003e1. Secure Communication Function\u003cbr\u003eThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\u003cbr\u003e- NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\u003cbr\u003e- NX701 CPU Unit: Version 1.29 or higher\u003cbr\u003e- NX502 CPU Unit: Version 1.60 or higher\u003cbr\u003e\u003cbr\u003e2. Anti-virus protection\u003cbr\u003eProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e3. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e4. Data input and output protection\u003cbr\u003eValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e5. Data recovery\u003cbr\u003ePeriodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of this vulnerability.\n\n1. Secure Communication Function\nThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\n- NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\n- NX701 CPU Unit: Version 1.29 or higher\n- NX502 CPU Unit: Version 1.60 or higher\n\n2. Anti-virus protection\nProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n3. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n4. Data input and output protection\nValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n5. Data recovery\nPeriodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2025-1384",
"datePublished": "2025-07-13T23:42:09.953Z",
"dateReserved": "2025-02-16T23:57:46.232Z",
"dateUpdated": "2025-07-14T14:15:23.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0591 (GCVE-0-2025-0591)
Vulnerability from nvd – Published: 2025-02-16 23:58 – Updated: 2025-02-18 16:06
VLAI
Title
Out-of-bounds Read vulnerability in CX-Programmer
Summary
Out-of-bounds Read vulnerability (CWE-125) was found in CX-Programmer. Attackers may be able to read sensitive information or cause an application crash by abusing this vulnerability.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | FA Integrated Tool Package CX-One |
Affected:
Ver.9.83 or lower
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T16:06:06.684155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T16:06:14.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "CX-Programmer",
"product": "FA Integrated Tool Package CX-One",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.9.83 or lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Out-of-bounds Read vulnerability (CWE-125) was found in CX-Programmer. Attackers may be able to read sensitive information or cause an application crash by abusing this vulnerability."
}
],
"value": "Out-of-bounds Read vulnerability (CWE-125) was found in CX-Programmer. Attackers may be able to read sensitive information or cause an application crash by abusing this vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-540",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-540 Overread Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-16T23:58:32.165Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-003_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-003_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update your CX-Programmer to the countermeasure version to fix the vulnerability.\u003cbr\u003eFor information on how to obtain and update the countermeasure version of the product, please contact our sales representative or distributor. You can update CX-One to the latest versions using the installed Omron Automation Software AutoUpdate tool.\u003cbr\u003e"
}
],
"value": "Update your CX-Programmer to the countermeasure version to fix the vulnerability.\nFor information on how to obtain and update the countermeasure version of the product, please contact our sales representative or distributor. You can update CX-One to the latest versions using the installed Omron Automation Software AutoUpdate tool."
}
],
"source": {
"advisory": "OMSR-2025-003",
"discovery": "UNKNOWN"
},
"title": "Out-of-bounds Read vulnerability in CX-Programmer",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\u003cbr\u003e\u003cbr\u003e1. Anti-virus protection Protect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e2. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e3. Data input and output protection Validation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e4. Data recovery Periodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\n\n1. Anti-virus protection Protect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n2. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n3. Data input and output protection Validation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n4. Data recovery Periodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2025-0591",
"datePublished": "2025-02-16T23:58:32.165Z",
"dateReserved": "2025-01-20T06:13:11.242Z",
"dateUpdated": "2025-02-18T16:06:14.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12298 (GCVE-0-2024-12298)
Vulnerability from nvd – Published: 2025-01-14 00:45 – Updated: 2025-01-14 15:29
VLAI
Title
Vulnerability Report on Improper Restriction of XML External Entity Reference in NB-Designer
Summary
We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | Programable Terminals NB-Designer |
Affected:
Ver.1.63 or lower
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12298",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:29:39.495895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:29:49.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"packageName": "NB-Designer",
"product": "Programable Terminals NB-Designer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.1.63 or lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer."
}
],
"value": "We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer."
}
],
"impacts": [
{
"capecId": "CAPEC-221",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-221 Data Serialization External Entities Blowup"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:45:38.605Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-002_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-002_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\u003cbr\u003eFor information on how to obtain and update the countermeasure version of the product, please contact our sales office or distributors.\u003cbr\u003e"
}
],
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\nFor information on how to obtain and update the countermeasure version of the product, please contact our sales office or distributors."
}
],
"source": {
"advisory": "OMSR-2025-002",
"discovery": "UNKNOWN"
},
"title": "Vulnerability Report on Improper Restriction of XML External Entity Reference in NB-Designer",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\u003cbr\u003e\u003cbr\u003e1. Secure Communication Function\u003cbr\u003eThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\u003cbr\u003e- NJ series, NX1P2 CPU Unit: Version 1.49 or higher\u003cbr\u003e\u003cbr\u003e2. Anti-virus protection\u003cbr\u003eProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e3. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e4. Data input and output protection\u003cbr\u003eValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e5. Data recovery\u003cbr\u003ePeriodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\n\n1. Secure Communication Function\nThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\n- NJ series, NX1P2 CPU Unit: Version 1.49 or higher\n\n2. Anti-virus protection\nProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n3. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n4. Data input and output protection\nValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n5. Data recovery\nPeriodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2024-12298",
"datePublished": "2025-01-14T00:45:38.605Z",
"dateReserved": "2024-12-06T05:22:07.010Z",
"dateUpdated": "2025-01-14T15:29:49.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12083 (GCVE-0-2024-12083)
Vulnerability from nvd – Published: 2025-01-14 00:46 – Updated: 2025-05-06 23:55
VLAI
Title
Path Traversal Vulnerabilities in NJ/NX-series Machine Automation Controllers
Summary
Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
15 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:28:53.612862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:29:28.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"packageName": "NJ101-[][][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ101-[][][][] Ver.1.64.05 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ301-[][][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ301-[][][][] Ver.1.64.05 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]0[]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]0[] Ver.1.64.05 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]2[]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]2[] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1340",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1340 Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-4[][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-4[][][] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-5300",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-5300 Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-R[][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[][][] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]1",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][]1 Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX102-[][]0[]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][]0[] Ver.1.64.07 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX102-[][]2[]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][]2[] Ver.1.64.07 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX502-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX502-[][][][] Ver.1.66.03 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX701-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX701-[][][][] Ver.1.35.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX-EIP201",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX-EIP201 Ver.1.01.02 and lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"value": "Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T23:55:36.575Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-001_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-001_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\u003cbr\u003eFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors. \u003cbr\u003e"
}
],
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\nFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors."
}
],
"source": {
"advisory": "OMSR-2025-001",
"discovery": "UNKNOWN"
},
"title": "Path Traversal Vulnerabilities in NJ/NX-series Machine Automation Controllers",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\u003cbr\u003e\u003cbr\u003e1. Secure Communication Function\u003cbr\u003eThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\u003cbr\u003e-NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\u003cbr\u003e-NX701 CPU Unit: Version 1.29 or higher\u003cbr\u003e-NX502 CPU Unit: Version 1.60 or higher\u003cbr\u003e-NX-EIP201 EtherNet/IPTM Unit: Version 1.00 or higher\u003cbr\u003e\u003cbr\u003e2. Anti-virus protection\u003cbr\u003eProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e3. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e4. Data input and output protection\u003cbr\u003eValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e5. Data recovery\u003cbr\u003ePeriodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\n\n1. Secure Communication Function\nThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\n-NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\n-NX701 CPU Unit: Version 1.29 or higher\n-NX502 CPU Unit: Version 1.60 or higher\n-NX-EIP201 EtherNet/IPTM Unit: Version 1.00 or higher\n\n2. Anti-virus protection\nProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n3. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n4. Data input and output protection\nValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n5. Data recovery\nPeriodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2024-12083",
"datePublished": "2025-01-14T00:46:33.399Z",
"dateReserved": "2024-12-03T04:43:25.034Z",
"dateUpdated": "2025-05-06T23:55:36.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49501 (GCVE-0-2024-49501)
Vulnerability from nvd – Published: 2024-11-01 04:07 – Updated: 2024-11-01 15:06
VLAI
Summary
Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | SYSMAC-SE2[][][] |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T15:06:44.922885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T15:06:52.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SYSMAC-SE2[][][]",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect authorization",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T04:07:39.666Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-006_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-006_ja.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU95685374"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-49501",
"datePublished": "2024-11-01T04:07:39.666Z",
"dateReserved": "2024-10-15T11:32:15.313Z",
"dateUpdated": "2024-11-01T15:06:52.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33687 (GCVE-0-2024-33687)
Vulnerability from nvd – Published: 2024-06-24 15:03 – Updated: 2025-03-13 14:36
VLAI
Summary
Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Insufficient verification of data authenticity
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | NJ Series CPU Unit |
Affected:
all versions
|
|
| OMRON Corporation | NX Series CPU Unit |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-24T20:23:44.445669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:36:56.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:36:04.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-004_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92504444/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NJ Series CPU Unit",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"product": "NX Series CPU Unit",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient verification of data authenticity",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T15:03:05.467Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-004_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU92504444/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-33687",
"datePublished": "2024-06-24T15:03:05.467Z",
"dateReserved": "2024-04-26T07:55:08.563Z",
"dateUpdated": "2025-03-13T14:36:56.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31413 (GCVE-0-2024-31413)
Vulnerability from nvd – Published: 2024-05-01 12:54 – Updated: 2025-03-14 14:51
VLAI
Summary
Free of pointer not at start of buffer vulnerability exists in CX-One CX-One CXONE-AL[][]D-V4 (The version which was installed with a DVD ver. 4.61.1 or lower, and was updated through CX-One V4 auto update in January 2024 or prior) and Sysmac Studio SYSMAC-SE2[][][] (The version which was installed with a DVD ver. 1.56 or lower, and was updated through Sysmac Studio V1 auto update in January 2024 or prior). Opening a specially crafted project file may lead to arbitrary code execution.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Free of pointer not at start of buffer
- CWE-761 - Free of Pointer not at Start of Buffer
Assigner
References
2 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | CX-One CX-One CXONE-AL[][]D-V4 |
Affected:
The version which was installed with a DVD ver. 4.61.1 or lower
Affected: and was updated through CX-One V4 auto update in January 2024 or prior |
|
| OMRON Corporation | Sysmac Studio SYSMAC-SE2[][][] |
Affected:
The version which was installed with a DVD ver. 1.56 or lower
Affected: and was updated through Sysmac Studio V1 auto update in January 2024 or prior |
|
| omrom | cx-designer |
Affected:
*
cpe:2.3:a:omrom:cx-designer:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:omrom:cx-designer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cx-designer",
"vendor": "omrom",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T14:49:56.532150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-761",
"description": "CWE-761 Free of Pointer not at Start of Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T14:51:31.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-002_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CX-One CX-One CXONE-AL[][]D-V4 ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "The version which was installed with a DVD ver. 4.61.1 or lower"
},
{
"status": "affected",
"version": " and was updated through CX-One V4 auto update in January 2024 or prior"
}
]
},
{
"product": "Sysmac Studio SYSMAC-SE2[][][] ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "The version which was installed with a DVD ver. 1.56 or lower"
},
{
"status": "affected",
"version": " and was updated through Sysmac Studio V1 auto update in January 2024 or prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Free of pointer not at start of buffer vulnerability exists in CX-One CX-One CXONE-AL[][]D-V4 (The version which was installed with a DVD ver. 4.61.1 or lower, and was updated through CX-One V4 auto update in January 2024 or prior) and Sysmac Studio SYSMAC-SE2[][][] (The version which was installed with a DVD ver. 1.56 or lower, and was updated through Sysmac Studio V1 auto update in January 2024 or prior). Opening a specially crafted project file may lead to arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Free of pointer not at start of buffer",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T12:54:15.483Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-002_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31413",
"datePublished": "2024-05-01T12:54:15.483Z",
"dateReserved": "2024-04-03T10:57:10.684Z",
"dateUpdated": "2025-03-14T14:51:31.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31412 (GCVE-0-2024-31412)
Vulnerability from nvd – Published: 2024-05-01 12:52 – Updated: 2024-08-02 01:52
VLAI
Summary
Out-of-bounds read vulnerability exists in CX-Programmer included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower. Opening a specially crafted project file may lead to information disclosure and/or the product being crashed.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Out-of-bounds read
- CWE-125 - Out-of-bounds Read
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
Included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower
|
|
| omron | cx-programmer |
Affected:
0 , ≤ 9.81
(custom)
cpe:2.3:a:omron:cx-programmer:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:omron:cx-programmer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cx-programmer",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "9.81",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T14:29:07.641532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T14:36:05.441Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-003_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Out-of-bounds read vulnerability exists in CX-Programmer included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower. Opening a specially crafted project file may lead to information disclosure and/or the product being crashed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Out-of-bounds read",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T12:52:13.173Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-003_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31412",
"datePublished": "2024-05-01T12:52:13.173Z",
"dateReserved": "2024-04-03T10:57:10.684Z",
"dateUpdated": "2024-08-02T01:52:56.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27121 (GCVE-0-2024-27121)
Vulnerability from nvd – Published: 2024-03-12 07:55 – Updated: 2024-08-16 19:50
VLAI
Summary
Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege. As for the details of the affected product names/versions, see the information provided by the vendor under [References] section.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Path traversal
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
17 products
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ101-[][][][] Ver.1.64.03 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ301-[][][][] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-1[]0[] Ver.1.64.03 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-1[]2[] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-1340 Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-4[][][] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-5300 Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-R[][][] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX1P2-[][][][][][] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX1P2-[][][][][][]1 Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX102-[][][][] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX502-[][][][] Ver.1.65.01 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX701-[][][][] Ver.1.35.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX-EIP201 Ver.1.00.01 and earlier
|
|
| omron | nj101-9020_firmware |
Affected:
0 , ≤ 1.64.03
(custom)
cpe:2.3:o:omron:nj101-1000_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj101-1020_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj101-9000_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj101-9020_firmware:-:*:*:*:*:*:*:* |
|
| omron | nj301-1200_firmware |
Affected:
0 , ≤ 1.64.00
(custom)
cpe:2.3:o:omron:nj301-1100_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj301-1200_firmware:-:*:*:*:*:*:*:* |
|
| omron | nj501-r520_firmware |
Affected:
0 , ≤ 1.64.00
(custom)
cpe:2.3:o:omron:nj501-1300_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1320_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1340_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1400_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1420_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1500_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1520_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-4300_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-4310_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-4320_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-4400_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-4500_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-5300_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r300_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r320_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r400_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r420_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r500_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r520_firmware:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-001_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-001_ja.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU95852116/index.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:omron:nj101-1000_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-1020_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-9000_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-9020_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj101-9020_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:omron:nj301-1100_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj301-1200_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj301-1200_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:omron:nj501-1300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1340_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1420_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1520_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4310_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-5300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r420_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r520_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj501-r520_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T18:25:40.523309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T19:50:12.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ101-[][][][] Ver.1.64.03 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ301-[][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]0[] Ver.1.64.03 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]2[] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1340 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-4[][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-5300 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][]1 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX502-[][][][] Ver.1.65.01 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX701-[][][][] Ver.1.35.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX-EIP201 Ver.1.00.01 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege. As for the details of the affected product names/versions, see the information provided by the vendor under [References] section."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T07:55:48.301Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-001_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-001_ja.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU95852116/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-27121",
"datePublished": "2024-03-12T07:55:48.301Z",
"dateReserved": "2024-02-20T08:22:05.133Z",
"dateUpdated": "2024-08-16T19:50:12.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43624 (GCVE-0-2023-43624)
Vulnerability from nvd – Published: 2023-10-23 04:51 – Updated: 2024-09-17 14:19
VLAI
Summary
CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- XML external entities (XXE)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | CX-Designer |
Affected:
Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.805Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-011_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU98683567/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:14:29.731149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T14:19:52.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Designer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML external entities (XXE)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T04:51:39.628Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-011_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU98683567/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-43624",
"datePublished": "2023-10-23T04:51:39.628Z",
"dateReserved": "2023-09-20T11:52:20.771Z",
"dateUpdated": "2024-09-17T14:19:52.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22277 (GCVE-0-2023-22277)
Vulnerability from nvd – Published: 2023-08-03 13:05 – Updated: 2024-10-17 14:21
VLAI
Summary
Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22317 and CVE-2023-22314.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Use after free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jvn.jp/en/vu/JVNVU92877622/ |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
Ver.9.79 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92877622/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:21:26.727465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:21:36.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.9.79 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22317 and CVE-2023-22314."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use after free",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T13:05:45.204Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/vu/JVNVU92877622/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22277",
"datePublished": "2023-08-03T13:05:45.204Z",
"dateReserved": "2022-12-27T15:57:55.077Z",
"dateUpdated": "2024-10-17T14:21:36.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1384 (GCVE-0-2025-1384)
Vulnerability from cvelistv5 – Published: 2025-07-13 23:42 – Updated: 2025-07-14 14:15
VLAI
Title
Least Privilege Violation Vulnerability in the communications functions of NJ/NX-series Machine Automation Controllers
Summary
Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-272 - Least Privilege Violation
Assigner
References
Impacted products
15 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T14:14:22.828617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T14:15:23.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"packageName": "NJ101-[][][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ101-[][][][] Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ301-1[]00",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ301-1[]00 Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]00",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]00 Ver.1.67.02 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]20",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]20 Ver.1.68.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1340",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1340 Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-4[][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-4[][][] Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-5300",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-5300 Ver.1.67.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-R[]00",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[]00 Ver.1.67.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-R[]20",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[]20 Ver.1.67.00 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX102-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][][][] Ver.1.68.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][] Ver.1.64.09 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]1",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][]1 Ver.1.64.09 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX502-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX502-[][][][] Ver.1.68.01 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX701-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX701-[][][][] Ver.1.35.09 or lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "SYSMAC-SE2[][][]",
"product": "Sysmac Studio Software",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "SYSMAC-SE2[][][] all"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"value": "Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-272",
"description": "CWE-272 Least Privilege Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-13T23:42:09.953Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-004_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-004_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The countermeasure against the vulnerability can be implemented by updating each product to the countermeasure version and setting the secure communication version 2.\u003cbr\u003eFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors. \u003cbr\u003e"
}
],
"value": "The countermeasure against the vulnerability can be implemented by updating each product to the countermeasure version and setting the secure communication version 2.\nFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors."
}
],
"source": {
"advisory": "OMSR-2025-004",
"discovery": "UNKNOWN"
},
"title": "Least Privilege Violation Vulnerability in the communications functions of NJ/NX-series Machine Automation Controllers",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of this vulnerability.\u003cbr\u003e\u003cbr\u003e1. Secure Communication Function\u003cbr\u003eThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\u003cbr\u003e- NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\u003cbr\u003e- NX701 CPU Unit: Version 1.29 or higher\u003cbr\u003e- NX502 CPU Unit: Version 1.60 or higher\u003cbr\u003e\u003cbr\u003e2. Anti-virus protection\u003cbr\u003eProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e3. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e4. Data input and output protection\u003cbr\u003eValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e5. Data recovery\u003cbr\u003ePeriodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of this vulnerability.\n\n1. Secure Communication Function\nThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\n- NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\n- NX701 CPU Unit: Version 1.29 or higher\n- NX502 CPU Unit: Version 1.60 or higher\n\n2. Anti-virus protection\nProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n3. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n4. Data input and output protection\nValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n5. Data recovery\nPeriodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2025-1384",
"datePublished": "2025-07-13T23:42:09.953Z",
"dateReserved": "2025-02-16T23:57:46.232Z",
"dateUpdated": "2025-07-14T14:15:23.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0591 (GCVE-0-2025-0591)
Vulnerability from cvelistv5 – Published: 2025-02-16 23:58 – Updated: 2025-02-18 16:06
VLAI
Title
Out-of-bounds Read vulnerability in CX-Programmer
Summary
Out-of-bounds Read vulnerability (CWE-125) was found in CX-Programmer. Attackers may be able to read sensitive information or cause an application crash by abusing this vulnerability.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | FA Integrated Tool Package CX-One |
Affected:
Ver.9.83 or lower
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T16:06:06.684155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T16:06:14.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "CX-Programmer",
"product": "FA Integrated Tool Package CX-One",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.9.83 or lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Out-of-bounds Read vulnerability (CWE-125) was found in CX-Programmer. Attackers may be able to read sensitive information or cause an application crash by abusing this vulnerability."
}
],
"value": "Out-of-bounds Read vulnerability (CWE-125) was found in CX-Programmer. Attackers may be able to read sensitive information or cause an application crash by abusing this vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-540",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-540 Overread Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-16T23:58:32.165Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-003_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-003_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update your CX-Programmer to the countermeasure version to fix the vulnerability.\u003cbr\u003eFor information on how to obtain and update the countermeasure version of the product, please contact our sales representative or distributor. You can update CX-One to the latest versions using the installed Omron Automation Software AutoUpdate tool.\u003cbr\u003e"
}
],
"value": "Update your CX-Programmer to the countermeasure version to fix the vulnerability.\nFor information on how to obtain and update the countermeasure version of the product, please contact our sales representative or distributor. You can update CX-One to the latest versions using the installed Omron Automation Software AutoUpdate tool."
}
],
"source": {
"advisory": "OMSR-2025-003",
"discovery": "UNKNOWN"
},
"title": "Out-of-bounds Read vulnerability in CX-Programmer",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\u003cbr\u003e\u003cbr\u003e1. Anti-virus protection Protect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e2. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e3. Data input and output protection Validation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e4. Data recovery Periodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\n\n1. Anti-virus protection Protect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n2. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n3. Data input and output protection Validation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n4. Data recovery Periodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2025-0591",
"datePublished": "2025-02-16T23:58:32.165Z",
"dateReserved": "2025-01-20T06:13:11.242Z",
"dateUpdated": "2025-02-18T16:06:14.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12083 (GCVE-0-2024-12083)
Vulnerability from cvelistv5 – Published: 2025-01-14 00:46 – Updated: 2025-05-06 23:55
VLAI
Title
Path Traversal Vulnerabilities in NJ/NX-series Machine Automation Controllers
Summary
Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
15 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:28:53.612862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:29:28.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"packageName": "NJ101-[][][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ101-[][][][] Ver.1.64.05 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ301-[][][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ301-[][][][] Ver.1.64.05 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]0[]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]0[] Ver.1.64.05 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1[]2[]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]2[] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-1340",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1340 Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-4[][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-4[][][] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-5300",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-5300 Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NJ501-R[][][]",
"product": "Machine Automation Controller NJ-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[][][] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][] Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX1P2-[][][][][][]1",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][]1 Ver.1.64.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX102-[][]0[]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][]0[] Ver.1.64.07 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX102-[][]2[]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][]2[] Ver.1.64.07 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX502-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX502-[][][][] Ver.1.66.03 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX701-[][][][]",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX701-[][][][] Ver.1.35.04 and lower"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "NX-EIP201",
"product": "Machine Automation Controller NX-series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX-EIP201 Ver.1.01.02 and lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"value": "Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T23:55:36.575Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-001_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-001_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\u003cbr\u003eFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors. \u003cbr\u003e"
}
],
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\nFor information on how to obtain and update the firmware for the countermeasure version of the product, please contact our sales office or distributors."
}
],
"source": {
"advisory": "OMSR-2025-001",
"discovery": "UNKNOWN"
},
"title": "Path Traversal Vulnerabilities in NJ/NX-series Machine Automation Controllers",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\u003cbr\u003e\u003cbr\u003e1. Secure Communication Function\u003cbr\u003eThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\u003cbr\u003e-NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\u003cbr\u003e-NX701 CPU Unit: Version 1.29 or higher\u003cbr\u003e-NX502 CPU Unit: Version 1.60 or higher\u003cbr\u003e-NX-EIP201 EtherNet/IPTM Unit: Version 1.00 or higher\u003cbr\u003e\u003cbr\u003e2. Anti-virus protection\u003cbr\u003eProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e3. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e4. Data input and output protection\u003cbr\u003eValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e5. Data recovery\u003cbr\u003ePeriodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\n\n1. Secure Communication Function\nThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\n-NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or higher\n-NX701 CPU Unit: Version 1.29 or higher\n-NX502 CPU Unit: Version 1.60 or higher\n-NX-EIP201 EtherNet/IPTM Unit: Version 1.00 or higher\n\n2. Anti-virus protection\nProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n3. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n4. Data input and output protection\nValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n5. Data recovery\nPeriodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2024-12083",
"datePublished": "2025-01-14T00:46:33.399Z",
"dateReserved": "2024-12-03T04:43:25.034Z",
"dateUpdated": "2025-05-06T23:55:36.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12298 (GCVE-0-2024-12298)
Vulnerability from cvelistv5 – Published: 2025-01-14 00:45 – Updated: 2025-01-14 15:29
VLAI
Title
Vulnerability Report on Improper Restriction of XML External Entity Reference in NB-Designer
Summary
We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | Programable Terminals NB-Designer |
Affected:
Ver.1.63 or lower
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12298",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T15:29:39.495895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T15:29:49.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"packageName": "NB-Designer",
"product": "Programable Terminals NB-Designer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.1.63 or lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer."
}
],
"value": "We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer."
}
],
"impacts": [
{
"capecId": "CAPEC-221",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-221 Data Serialization External Entities Blowup"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:45:38.605Z",
"orgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"shortName": "OMRON"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-002_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-002_ja.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\u003cbr\u003eFor information on how to obtain and update the countermeasure version of the product, please contact our sales office or distributors.\u003cbr\u003e"
}
],
"value": "The countermeasure against the vulnerabilities can be implemented by updating each product to the countermeasure version.\nFor information on how to obtain and update the countermeasure version of the product, please contact our sales office or distributors."
}
],
"source": {
"advisory": "OMSR-2025-002",
"discovery": "UNKNOWN"
},
"title": "Vulnerability Report on Improper Restriction of XML External Entity Reference in NB-Designer",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\u003cbr\u003e\u003cbr\u003e1. Secure Communication Function\u003cbr\u003eThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\u003cbr\u003e- NJ series, NX1P2 CPU Unit: Version 1.49 or higher\u003cbr\u003e\u003cbr\u003e2. Anti-virus protection\u003cbr\u003eProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\u003cbr\u003e\u003cbr\u003e3. Security measures to prevent unauthorized access\u003cbr\u003e- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\u003cbr\u003e- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\u003cbr\u003e- Use a virtual private network (VPN) for remote access to control systems and equipment.\u003cbr\u003e- Use strong passwords and change them frequently.\u003cbr\u003e- Install physical controls so that only authorized personnel can access control systems and equipment.\u003cbr\u003e- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\u003cbr\u003e- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\u003cbr\u003e\u003cbr\u003e4. Data input and output protection\u003cbr\u003eValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\u003cbr\u003e\u003cbr\u003e5. Data recovery\u003cbr\u003ePeriodical data backup and maintenance to prepare for data loss.\u003cbr\u003e"
}
],
"value": "OMRON recommends that customers take the following mitigation measures to minimize the risk of exploitation of these vulnerabilities.\n\n1. Secure Communication Function\nThe secure communication function can prevent data from being eavesdropped or tampered with by a third party. Secure communication is available in the following CPU Units of the stated versions.\n- NJ series, NX1P2 CPU Unit: Version 1.49 or higher\n\n2. Anti-virus protection\nProtect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.\n\n3. Security measures to prevent unauthorized access\n- Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.\n- Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.\n- Use a virtual private network (VPN) for remote access to control systems and equipment.\n- Use strong passwords and change them frequently.\n- Install physical controls so that only authorized personnel can access control systems and equipment.\n- Scan virus to ensure safety of any USB drives or similar devices before connecting them to systems and devices.\n- Enforce multifactor authentication to all devices with remote access to control systems and equipment whenever possible.\n\n4. Data input and output protection\nValidation processing such as backup and range check to cope with unintentional modification of input/output data to control systems and devices.\n\n5. Data recovery\nPeriodical data backup and maintenance to prepare for data loss."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bba440f9-ef23-4224-aa62-7ac0935d18d1",
"assignerShortName": "OMRON",
"cveId": "CVE-2024-12298",
"datePublished": "2025-01-14T00:45:38.605Z",
"dateReserved": "2024-12-06T05:22:07.010Z",
"dateUpdated": "2025-01-14T15:29:49.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49501 (GCVE-0-2024-49501)
Vulnerability from cvelistv5 – Published: 2024-11-01 04:07 – Updated: 2024-11-01 15:06
VLAI
Summary
Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | SYSMAC-SE2[][][] |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T15:06:44.922885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T15:06:52.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SYSMAC-SE2[][][]",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect authorization",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T04:07:39.666Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-006_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-006_ja.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU95685374"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-49501",
"datePublished": "2024-11-01T04:07:39.666Z",
"dateReserved": "2024-10-15T11:32:15.313Z",
"dateUpdated": "2024-11-01T15:06:52.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33687 (GCVE-0-2024-33687)
Vulnerability from cvelistv5 – Published: 2024-06-24 15:03 – Updated: 2025-03-13 14:36
VLAI
Summary
Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Insufficient verification of data authenticity
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | NJ Series CPU Unit |
Affected:
all versions
|
|
| OMRON Corporation | NX Series CPU Unit |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-24T20:23:44.445669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:36:56.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:36:04.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-004_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92504444/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NJ Series CPU Unit",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"product": "NX Series CPU Unit",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient verification of data authenticity",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T15:03:05.467Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-004_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU92504444/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-33687",
"datePublished": "2024-06-24T15:03:05.467Z",
"dateReserved": "2024-04-26T07:55:08.563Z",
"dateUpdated": "2025-03-13T14:36:56.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31413 (GCVE-0-2024-31413)
Vulnerability from cvelistv5 – Published: 2024-05-01 12:54 – Updated: 2025-03-14 14:51
VLAI
Summary
Free of pointer not at start of buffer vulnerability exists in CX-One CX-One CXONE-AL[][]D-V4 (The version which was installed with a DVD ver. 4.61.1 or lower, and was updated through CX-One V4 auto update in January 2024 or prior) and Sysmac Studio SYSMAC-SE2[][][] (The version which was installed with a DVD ver. 1.56 or lower, and was updated through Sysmac Studio V1 auto update in January 2024 or prior). Opening a specially crafted project file may lead to arbitrary code execution.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Free of pointer not at start of buffer
- CWE-761 - Free of Pointer not at Start of Buffer
Assigner
References
2 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | CX-One CX-One CXONE-AL[][]D-V4 |
Affected:
The version which was installed with a DVD ver. 4.61.1 or lower
Affected: and was updated through CX-One V4 auto update in January 2024 or prior |
|
| OMRON Corporation | Sysmac Studio SYSMAC-SE2[][][] |
Affected:
The version which was installed with a DVD ver. 1.56 or lower
Affected: and was updated through Sysmac Studio V1 auto update in January 2024 or prior |
|
| omrom | cx-designer |
Affected:
*
cpe:2.3:a:omrom:cx-designer:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:omrom:cx-designer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cx-designer",
"vendor": "omrom",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T14:49:56.532150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-761",
"description": "CWE-761 Free of Pointer not at Start of Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T14:51:31.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-002_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CX-One CX-One CXONE-AL[][]D-V4 ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "The version which was installed with a DVD ver. 4.61.1 or lower"
},
{
"status": "affected",
"version": " and was updated through CX-One V4 auto update in January 2024 or prior"
}
]
},
{
"product": "Sysmac Studio SYSMAC-SE2[][][] ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "The version which was installed with a DVD ver. 1.56 or lower"
},
{
"status": "affected",
"version": " and was updated through Sysmac Studio V1 auto update in January 2024 or prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Free of pointer not at start of buffer vulnerability exists in CX-One CX-One CXONE-AL[][]D-V4 (The version which was installed with a DVD ver. 4.61.1 or lower, and was updated through CX-One V4 auto update in January 2024 or prior) and Sysmac Studio SYSMAC-SE2[][][] (The version which was installed with a DVD ver. 1.56 or lower, and was updated through Sysmac Studio V1 auto update in January 2024 or prior). Opening a specially crafted project file may lead to arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Free of pointer not at start of buffer",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T12:54:15.483Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-002_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31413",
"datePublished": "2024-05-01T12:54:15.483Z",
"dateReserved": "2024-04-03T10:57:10.684Z",
"dateUpdated": "2025-03-14T14:51:31.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31412 (GCVE-0-2024-31412)
Vulnerability from cvelistv5 – Published: 2024-05-01 12:52 – Updated: 2024-08-02 01:52
VLAI
Summary
Out-of-bounds read vulnerability exists in CX-Programmer included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower. Opening a specially crafted project file may lead to information disclosure and/or the product being crashed.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Out-of-bounds read
- CWE-125 - Out-of-bounds Read
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | CX-Programmer |
Affected:
Included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower
|
|
| omron | cx-programmer |
Affected:
0 , ≤ 9.81
(custom)
cpe:2.3:a:omron:cx-programmer:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:omron:cx-programmer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cx-programmer",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "9.81",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T14:29:07.641532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T14:36:05.441Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-003_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CX-Programmer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Out-of-bounds read vulnerability exists in CX-Programmer included in CX-One CXONE-AL[][]D-V4 Ver. 9.81 or lower. Opening a specially crafted project file may lead to information disclosure and/or the product being crashed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Out-of-bounds read",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T12:52:13.173Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-003_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU98274902/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31412",
"datePublished": "2024-05-01T12:52:13.173Z",
"dateReserved": "2024-04-03T10:57:10.684Z",
"dateUpdated": "2024-08-02T01:52:56.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27121 (GCVE-0-2024-27121)
Vulnerability from cvelistv5 – Published: 2024-03-12 07:55 – Updated: 2024-08-16 19:50
VLAI
Summary
Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege. As for the details of the affected product names/versions, see the information provided by the vendor under [References] section.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Path traversal
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
17 products
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ101-[][][][] Ver.1.64.03 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ301-[][][][] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-1[]0[] Ver.1.64.03 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-1[]2[] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-1340 Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-4[][][] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-5300 Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NJ Series |
Affected:
NJ501-R[][][] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX1P2-[][][][][][] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX1P2-[][][][][][]1 Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX102-[][][][] Ver.1.64.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX502-[][][][] Ver.1.65.01 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX701-[][][][] Ver.1.35.00 and earlier
|
|
| OMRON Corporation | Machine Automation Controller NX Series |
Affected:
NX-EIP201 Ver.1.00.01 and earlier
|
|
| omron | nj101-9020_firmware |
Affected:
0 , ≤ 1.64.03
(custom)
cpe:2.3:o:omron:nj101-1000_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj101-1020_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj101-9000_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj101-9020_firmware:-:*:*:*:*:*:*:* |
|
| omron | nj301-1200_firmware |
Affected:
0 , ≤ 1.64.00
(custom)
cpe:2.3:o:omron:nj301-1100_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj301-1200_firmware:-:*:*:*:*:*:*:* |
|
| omron | nj501-r520_firmware |
Affected:
0 , ≤ 1.64.00
(custom)
cpe:2.3:o:omron:nj501-1300_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1320_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1340_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1400_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1420_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1500_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-1520_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-4300_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-4310_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-4320_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-4400_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-4500_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-5300_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r300_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r320_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r400_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r420_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r500_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:omron:nj501-r520_firmware:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-001_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-001_ja.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU95852116/index.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:omron:nj101-1000_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-1020_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-9000_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj101-9020_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj101-9020_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:omron:nj301-1100_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj301-1200_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj301-1200_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:omron:nj501-1300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1340_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1420_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-1520_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4310_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-4500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-5300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r300_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r320_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r400_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r420_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r500_firmware:-:*:*:*:*:*:*:*",
"cpe:2.3:o:omron:nj501-r520_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nj501-r520_firmware",
"vendor": "omron",
"versions": [
{
"lessThanOrEqual": "1.64.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T18:25:40.523309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T19:50:12.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ101-[][][][] Ver.1.64.03 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ301-[][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]0[] Ver.1.64.03 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1[]2[] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-1340 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-4[][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-5300 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NJ Series ",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NJ501-R[][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX1P2-[][][][][][]1 Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX102-[][][][] Ver.1.64.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX502-[][][][] Ver.1.65.01 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX701-[][][][] Ver.1.35.00 and earlier "
}
]
},
{
"product": "Machine Automation Controller NX Series",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "NX-EIP201 Ver.1.00.01 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege. As for the details of the affected product names/versions, see the information provided by the vendor under [References] section."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T07:55:48.301Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-001_en.pdf"
},
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2024-001_ja.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU95852116/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-27121",
"datePublished": "2024-03-12T07:55:48.301Z",
"dateReserved": "2024-02-20T08:22:05.133Z",
"dateUpdated": "2024-08-16T19:50:12.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43624 (GCVE-0-2023-43624)
Vulnerability from cvelistv5 – Published: 2023-10-23 04:51 – Updated: 2024-09-17 14:19
VLAI
Summary
CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- XML external entities (XXE)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OMRON Corporation | CX-Designer |
Affected:
Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.805Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-011_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU98683567/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:14:29.731149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T14:19:52.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CX-Designer",
"vendor": "OMRON Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML external entities (XXE)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T04:51:39.628Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-011_en.pdf"
},
{
"url": "https://jvn.jp/en/vu/JVNVU98683567/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-43624",
"datePublished": "2023-10-23T04:51:39.628Z",
"dateReserved": "2023-09-20T11:52:20.771Z",
"dateUpdated": "2024-09-17T14:19:52.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}