CVE-2022-31207

Name of the Vulnerable Software and Affected Versions Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18

Description The issue is related to a lack of cryptographic authentication in the Omron FINS (9600/TCP) protocol used for engineering purposes, including downloading projects and control logic to the PLC. This allows an attacker to manipulate transmitted object code to the PLC and execute arbitrary object code commands on the ASIC or the microprocessor interpreter. The logic downloaded to the PLC exists in compiled object code form and is executed after being passed to a dedicated ASIC or the microprocessor for interpretation.

Recommendations As a temporary workaround, consider restricting access to the FINS protocol to minimize the risk of exploitation. Avoid using the FINS Program Area Read and Program Area Write commands until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.