CVE-2022-29958

high-risk

Published 2022-07-26

JTEKT TOYOPUC PLCs through 2022-04-29 do not ensure data integrity. They utilize the unauthenticated CMPLink/TCP protocol for engineering purposes, including downloading projects and control logic to the PLC. Control logic is downloaded to the PLC on a block-by-block basis with a given memory address and a blob of machine code. The logic that is downloaded to the PLC is not cryptographically authenticated, allowing an attacker to execute arbitrary machine code on the PLC's CPU module in the context of the runtime. In the case of the PC10G-CPU, and likely for other CPU modules of the TOYOPUC family, a processor without MPU or MMU is used and this no memory protection or privilege-separation capabilities are available, giving an attacker full control over the CPU.

Do I need to act?

0.12% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (17)

Pc10G-Cpu Tcc-6353 Firmware

Pc10Ge Tcc-6464 Firmware

Pc10P Tcc-6372 Firmware

Pc10P-Dp Tcc-6726 Firmware

Pc10P-Dp-Io Tcc-6752 Firmware

Pc10B-P Tcc-6373 Firmware

Pc10B Tcc-1021 Firmware

Pc10E Tcc-4737 Firmware

Pc10El Tcc-4747 Firmware

Plus Cpu Tcc-6740 Firmware

Pc3Jx Tcc-6901 Firmware

Pc3Jx-D Tcc-6902 Firmware

Pc10Pe Tcc-1101 Firmware

Pc10Pe-1616P Tcc-1102 Firmware

Pcdl Tkc-6688 Firmware

Nano 10Gx Tuc-1157 Firmware

Nano Cpu Tuc-6941 Firmware

Affected Vendors

Jtekt

References (4)

Third Party Advisory https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-02

Third Party Advisory https://www.forescout.com/blog/

Third Party Advisory https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-02

Third Party Advisory https://www.forescout.com/blog/

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 19/34 · Moderate