CVE-2022-21137
published 2022-01-14CVE-2022-21137: Omron CX-One Versions 4.60 and prior are vulnerable to a stack-based buffer overflow while processing specific project files, which may allow an attacker to…
PriorityP346high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
9.27%
94.7th percentile
Omron CX-One Versions 4.60 and prior are vulnerable to a stack-based buffer overflow while processing specific project files, which may allow an attacker to execute arbitrary code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| omron | cx-one | <= 4.60 | — |
| omron | cx-one | All – 4.60 | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Omron CX-One
cisa_ics·2022-01-06·CVSS 7.8
[HIGH] Omron CX-One
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Omron CX-One
Last RevisedJanuary 06, 2022
Alert CodeICSA-22-006-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low attack complexity
- Vendor: Omron
- Equipment: CX-One
- Vulnerabilities: Stack-based Buffer Overflow
## 2. RISK EVALUATION
Successful exploitation of this vulnerability may allow arbitrary code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of CX-One automation software are affected:
- CX-One: Versions 4.60 and prior
## 3.2 VULNERABILITY OVERVIEW
## 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121
The affected product
GHSA
GHSA-5g39-42r3-hp8f: Omron CX-One Versions 4
ghsa_unreviewed·2022-01-15
CVE-2022-21137 [HIGH] CWE-787 GHSA-5g39-42r3-hp8f: Omron CX-One Versions 4
Omron CX-One Versions 4.60 and prior are vulnerable to a stack-based buffer overflow while processing specific project files, which may allow an attacker to execute arbitrary code.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://www.cisa.gov/uscert/ics/advisories/icsa-22-006-01https://www.zerodayinitiative.com/advisories/ZDI-22-373/https://www.zerodayinitiative.com/advisories/ZDI-22-374/https://www.cisa.gov/uscert/ics/advisories/icsa-22-006-01https://www.zerodayinitiative.com/advisories/ZDI-22-373/https://www.zerodayinitiative.com/advisories/ZDI-22-374/
2022-01-14
Published