CVE-2022-31204

moderate-risk

Published 2022-07-26

Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext.

Do I need to act?

0.12% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (8)

Sysmac Cs1 Firmware

Sysmac Cj2M Firmware

Sysmac Cj2H Firmware

Sysmac Cp1E Firmware

Sysmac Cp1H Firmware

Sysmac Cp1L Firmware

Cp1W-Cif41 Firmware

Cx-Programmer

Affected Vendors

Omron

References (4)

Third Party Advisory https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02

Third Party Advisory https://www.forescout.com/blog/

Third Party Advisory https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02

Third Party Advisory https://www.forescout.com/blog/

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 14/34 · Moderate