CVE-2022-31204

Name of the Vulnerable Software and Affected Versions Omron CS series, CJ series, and CP series PLCs through 2022-05-18

Description The issue concerns the transmission of confidential information in cleartext, specifically passwords used for the UM Protection setting. This setting allows users or system integrators to configure a password to restrict sensitive engineering operations, such as project/logic uploads and downloads. The passwords are set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext. This could allow a remote attacker to gain unauthorized access to protected information.

Recommendations For Omron CS series, CJ series, and CP series PLCs through 2022-05-18, consider disabling the UM Protection setting until a secure method of password transmission is implemented. Restrict access to the Program Area Protect and Program Area Protect Clear commands to minimize the risk of exploitation. Avoid using cleartext passwords for sensitive engineering operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.