CVE-2022-33971
published 2022-07-04CVE-2022-33971: Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation…
PriorityP342high7.5CVSS 3.1
AVAACHPRNUINSUCHIHAH
EPSS
1.03%
59.5th percentile
Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier, which may allow an adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally to cause a denial-of-service (DoS) condition or execute a malicious program.
Affected
52 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| omron | nj-pa3001_firmware | <= 1.48 | — |
| omron | nj-pd3001_firmware | <= 1.48 | — |
| omron | nj101-1000_firmware | <= 1.48 | — |
| omron | nj101-1020_firmware | <= 1.48 | — |
| omron | nj101-9000_firmware | <= 1.48 | — |
| omron | nj101-9020_firmware | <= 1.48 | — |
| omron | nj301-1100_firmware | <= 1.48 | — |
| omron | nj301-1200_firmware | < 1.48 | 1.48 |
| omron | nj501-1300_firmware | <= 1.48 | — |
| omron | nj501-1320_firmware | <= 1.48 | — |
| omron | nj501-1340_firmware | <= 1.48 | — |
| omron | nj501-140_firmware | <= 1.48 | — |
| omron | nj501-1420_firmware | <= 1.48 | — |
| omron | nj501-1500_firmware | <= 1.48 | — |
| omron | nj501-1520_firmware | <= 1.48 | — |
| omron | nj501-4300_firmware | <= 1.48 | — |
| omron | nj501-4310_firmware | <= 1.48 | — |
| omron | nj501-4320_firmware | <= 1.48 | — |
| omron | nj501-4400_firmware | <= 1.48 | — |
| omron | nj501-4500_firmware | <= 1.48 | — |
| omron | nj501-5300_firmware | <= 1.48 | — |
| omron | nj501-r300_firmware | <= 1.48 | — |
| omron | nj501-r320_firmware | <= 1.48 | — |
| omron | nj501-r400_firmware | <= 1.48 | — |
| omron | nj501-r420_firmware | <= 1.48 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.4MEDIUMAV:A/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-29r3-8mg2-rxqp: Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1
ghsa_unreviewed·2022-07-05
CVE-2022-33971 [HIGH] CWE-294 GHSA-29r3-8mg2-rxqp: Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1
Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier, which may allow an adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally to cause a denial-of-service (DoS) condition or execute a malicious program.
CISA ICS
Omron NJ/NX-series Machine Automation Controllers
cisa_ics·2022-11-10·CVSS 7.5
[HIGH] Omron NJ/NX-series Machine Automation Controllers
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Omron NJ/NX-series Machine Automation Controllers
Last RevisedNovember 10, 2022
Alert CodeICSA-22-314-07
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.3
- ATTENTION: Exploitable remotely, public exploits are available
- Vendor: Omron
- Equipment: NJ/NX-series Machine Automation Controllers
- Vulnerability: Active Debug Code
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to obtain unauthorized access to the device and cause the device to be in an “out of service” state or execute a malicious program on the device.
## 3. TECHNICAL DETAILS
No detection rules found.
No public exploits indexed.
2022-07-04
Published