CVE-2022-21124
📋 TL;DR
CVE-2022-21124 is an out-of-bounds write vulnerability in Omron CX-Programmer software that allows attackers to execute arbitrary code or disclose information when users open malicious CXP files. This affects CX-Programmer v9.76.1 and earlier as part of the CX-One v4.60 suite. Industrial control system operators and engineers using this PLC programming software are at risk.
💻 Affected Systems
- Omron CX-Programmer
- Omron CX-One
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the affected system, potentially leading to industrial process disruption, data theft, or lateral movement within OT networks.
Likely Case
Arbitrary code execution on the engineering workstation, allowing attackers to steal sensitive PLC programs, credentials, or install persistent malware.
If Mitigated
Limited impact if proper network segmentation, application whitelisting, and user awareness training prevent malicious file execution.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious CXP file. Public exploit details exist in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CX-Programmer v9.77 or later, CX-One v4.61 or later
Vendor Advisory: https://www.omron.com/global/en/
Restart Required: Yes
Instructions:
1. Download latest CX-Programmer/CX-One from Omron support portal. 2. Uninstall current version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Restrict CXP file handling
windowsConfigure Windows to open CXP files with a text editor instead of CX-Programmer
assoc .cxp=txtfile
ftype txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
Application control policy
windowsImplement application whitelisting to prevent unauthorized execution of CX-Programmer
🧯 If You Can't Patch
- Implement strict network segmentation to isolate engineering workstations from untrusted networks
- Train users to never open CXP files from untrusted sources and implement email filtering for CXP attachments
🔍 How to Verify
Check if Vulnerable:
Check CX-Programmer version via Help > About in the application or check installed programs in Control PanelCheck Version:
wmic product where "name like '%CX-Programmer%'" get versionVerify Fix Applied:
Verify installed version is v9.77 or later for CX-Programmer or v4.61 or later for CX-One📡 Detection & Monitoring
Log Indicators:
- Unexpected CX-Programmer crashes
- Process creation from CX-Programmer with unusual command lines
- File creation/modification by CX-Programmer in unusual locations
Network Indicators:
- Outbound connections from engineering workstations to suspicious IPs following CXP file opening
SIEM Query:
source="windows" AND (process_name="CX-Programmer.exe" AND (event_id=1000 OR event_id=1001)) OR (file_extension=".cxp" AND file_operation="open")🔗 References
- http://www.openwall.com/lists/oss-security/2022/06/14/4
- http://www.openwall.com/lists/oss-security/2022/06/16/1
- http://xenbits.xen.org/xsa/advisory-404.html
- https://jvn.jp/en/vu/JVNVU90121984/index.html
- http://www.openwall.com/lists/oss-security/2022/06/14/4
- http://www.openwall.com/lists/oss-security/2022/06/16/1
- http://xenbits.xen.org/xsa/advisory-404.html
- https://jvn.jp/en/vu/JVNVU90121984/index.html
