Aggregates CVE and security vulnerability intelligence across all Omron-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk memory corruption and vendor risk buffer overflow and related problems; some flaws may lead to vendor impact memory corruption, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-33687 | Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration. | [email protected] | 7.5 | 0.21% | 2024-06-24 | 2025-03-13 |
| CVE-2022-45792 | Project files may contain malicious contents which the software will use to create files on the filesystem. This allows directory traversal and overwriting files with the privileges of the logged-in user. | [email protected] | 7.8 | 0.06% | 2024-01-22 | 2024-11-21 |
| CVE-2022-45790 | The Omron FINS protocol has an authenticated feature to prevent access to memory regions. Authentication is susceptible to bruteforce attack, which may allow an adversary to gain access to protected memory. This access can allow overwrite of values including programmed logic. | [email protected] | 8.6 | 0.39% | 2024-01-22 | 2024-11-21 |
| CVE-2022-45794 | An attacker with network access to the affected PLC (CJ-series and CS-series PLCs, all versions) may use a network protocol to read and write files on the PLC internal memory and memory card. | [email protected] | 8.6 | 0.16% | 2024-01-10 | 2024-11-21 |
| CVE-2022-45793 | Sysmac Studio installs executables in a directory with poor permissions. This can allow a locally-authenticated attacker to overwrite files which will result in code execution with privileges of a different user. | [email protected] | 5.5 | 0.03% | 2024-01-10 | 2024-11-21 |
| CVE-2023-22277 | Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22317 and CVE-2023-22314. | [email protected] | 7.8 | 0.05% | 2023-08-03 | 2024-11-21 |
| CVE-2023-22317 | Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22277 and CVE-2023-22314. | [email protected] | 7.8 | 0.05% | 2023-08-03 | 2024-11-21 |
| CVE-2023-22314 | Use after free vulnerability exists in CX-Programmer Ver.9.79 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. This vulnerability is different from CVE-2023-22277 and CVE-2023-22317. | [email protected] | 7.8 | 0.05% | 2023-08-03 | 2024-11-21 |
| CVE-2023-38748 | Use after free vulnerability exists in CX-Programmer Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. | [email protected] | 7.8 | 0.15% | 2023-08-03 | 2024-11-21 |
| CVE-2023-38747 | Heap-based buffer overflow vulnerability exists in CX-Programmer Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. | [email protected] | 7.8 | 0.17% | 2023-08-03 | 2024-11-21 |
| CVE-2023-38746 | Out-of-bounds read vulnerability/issue exists in CX-Programmer Included in CX-One CXONE-AL[][]D-V4 V9.80 and earlier. By having a user open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur. | [email protected] | 7.8 | 0.06% | 2023-08-03 | 2024-11-21 |
| CVE-2023-38744 | Denial-of-service (DoS) vulnerability due to improper validation of specified type of input issue exists in the built-in EtherNet/IP port of the CJ Series CJ2 CPU unit and the communication function of the CS/CJ Series EtherNet/IP unit. If an affected product receives a packet which is specially crafted by a remote unauthenticated attacker, the unit of the affected product may fall into a denial-of-service (DoS) condition. Affected products/versions are as follows: CJ2M CPU Unit CJ2M-CPU3[] Unit | [email protected] | 7.5 | 0.35% | 2023-08-03 | 2024-11-21 |
| CVE-2023-27396 | FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON products. Multiple OMRON products that implement FINS protocol contain following security issues -- (1)Plaintext communication, and (2)No authentication required. When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on | [email protected] | 9.8 | 1.67% | 2023-06-19 | 2024-12-24 |
| CVE-2023-27385 | Heap-based buffer overflow vulnerability exists in CX-Drive All models all versions. By having a user open a specially crafted SDD file, arbitrary code may be executed and/or information may be disclosed. | [email protected] | 7.8 | 0.06% | 2023-05-10 | 2025-01-28 |
| CVE-2023-0811 | Omron CJ1M unit v4.0 and prior has improper access controls on the memory region where the UM password is stored. If an adversary issues a PROGRAM AREA WRITE command to a specific memory region, they could overwrite the password. This may lead to disabling UM protections or setting a non-ASCII password (non-keyboard characters) and preventing an engineer from viewing or modifying the user program. | [email protected] | 9.1 | 0.28% | 2023-03-16 | 2024-11-21 |
| CVE-2023-22322 | Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed. | [email protected] | 5.5 | 0.08% | 2023-01-30 | 2025-03-27 |
| CVE-2023-22366 | CX-Motion-MCH v2.32 and earlier contains an access of uninitialized pointer vulnerability. Having a user to open a specially crafted project file may lead to information disclosure and/or arbitrary code execution. | [email protected] | 7.8 | 0.06% | 2023-01-17 | 2025-04-03 |
| CVE-2023-22357 | Active debug code exists in OMRON CP1L-EL20DR-D all versions, which may lead to a command that is not specified in FINS protocol being executed without authentication. A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution. | [email protected] | 9.8 | 3.05% | 2023-01-17 | 2025-04-04 |
| CVE-2022-46282 | Use after free vulnerability in CX-Drive V3.00 and earlier allows a local attacker to execute arbitrary code by having a user to open a specially crafted file, | [email protected] | 7.8 | 0.14% | 2022-12-21 | 2025-04-16 |
| CVE-2022-43667 | Stack-based buffer overflow vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. | [email protected] | 7.8 | 0.09% | 2022-12-07 | 2025-04-23 |