CVE-2022-31204
Last modified
CVE-2022-31204 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). EPSS estimates a 0.50% chance of exploitation in the next 30 days.
Description
Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Omron | Sysmac Cs1 Firmware | < 4.1 |
| Omron | Sysmac Cj2m Firmware | < 2.1 |
| Omron | Sysmac Cj2h Firmware | < 1.5 |
| Omron | Sysmac Cp1e Firmware | < 1.30 |
| Omron | Sysmac Cp1h Firmware | < 1.30 |
| Omron | Sysmac Cp1l Firmware | < 1.10 |
| Omron | Cp1w-Cif41 Firmware | All versions |
| Omron | Cx-Programmer | < 9.6 |
References
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02Third Party Advisory, US Government Resource
- https://www.forescout.com/blog/Third Party Advisory
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02Third Party Advisory, US Government Resource
- https://www.forescout.com/blog/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-31204?
How severe is CVE-2022-31204?
How do I fix CVE-2022-31204?
Are you affected by CVE-2022-31204?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST