⚡ TL;DR | Go Straight to the Omron Improper Access Control Vulnerability Report
Omron has released a security advisory regarding an improper access control vulnerability in the CS/CJ/CP series of their programmable controllers. The issue affects multiple components of the CJ1M PLC and could allow an attacker to bypass user memory protections and overwrite passwords or lock you out of reading your own memory regions. Our team has added a new report to your Lansweeper installation to help you locate potentially vulnerable devices.
Omron Vulnerability CVE-2023-0811
The issue tracked as CVE-2023-0811 affects the CS/CJ/CP-series of programmable controllers. There are improper access controls on the memory region where the UM password is stored. By issuing a PROGRAM AREA WRITE command to a specific memory region, an attacker could overwrite the password. The vulnerability received a critical CVSS base score of 9.1. So far there have been no reports of the vulnerabilities being exploited in the wild.
Protect Vulnerable Omron PLCs
The vulnerabilities exist in several products and versions of the CS/CJ/CP-series Programmable Controllers. You can find the full list below. In order to protect yourself from attacks, Omron has provided countermeasures you can take:
- Enable the hardware switch to prohibit writing UM. (DIP switch on the front panel of the CPU Unit)
- Set UM read protection password and “Prohibit from overwriting to a protected program” option.
You can find detailed instructions for these countermeasures in Omron’s advisory. In case you are unable to take these countermeasures at this time, it also provides a number of mitigation measures you can take.
Affected Products and Versions
| Product Series | Model | Version |
| SYSMAC CJ-series | CJ2H-CPU6[]-EIP | All versions |
| CJ2H-CPU6[] | All versions | |
| CJ2M-CPU[][] | All versions | |
| CJ1G-CPU[][]P | All versions | |
| SYSMAC CS-series | CS1H-CPU[][]H | All versions |
| CS1G-CPU[][]H | All versions | |
| CS1D-CPU[][]HA | All versions | |
| CS1D-CPU[][]H | All versions | |
| CS1D-CPU[][]SA | All versions | |
| CS1D-CPU[][]S | All versions | |
| CS1D-CPU[][]P | All versions | |
| SYSMAC CP-series | CP2E-E[][]D[]-[] | All versions |
| CP2E-S[][]D[]-[] | All versions | |
| CP2E-N[][]D[]-[] | All versions | |
| CP1H-X40D[]-[] | All versions | |
| CP1H-XA40D[]-[] | All versions | |
| CP1H-Y20DT-D | All versions | |
| CP1L-EL20D[]-[] | All versions | |
| CP1L-EM[][]D[]-[] | All versions | |
| CP1L-L[][]D[]-[] | All versions | |
| CP1L-M[][]D[]-[] | All versions | |
| CP1E-E[][]D[]-[] | All versions | |
| CP1E-NA[][]D[]-[] | All versions |
Discover Vulnerable PLCs
Our team has put together a report based on Omron’s list of vulnerable devices. Please note that OT scanning is only available in Lansweeper Cloud, so this report has been added to your Lansweeper Cloud installation. It will give you an overview of any potentially vulnerable Omron Programmable Controllers in your network. This way you have an actionable list of devices to start taking the necessary countermeasures to protect your network.
