CVE-2019-13533

Vulnerability

Omron PLC CJ series and CS series (all versions) contain a capture-replay vulnerability in the communication protocol between the PLC and controller. An attacker can monitor network traffic and replay captured requests to perform unauthorized actions, such as opening or closing industrial valves. The vulnerability is classified as Authentication Bypass by Capture-replay (CWE-294) and is remotely exploitable without authentication [1].

Exploitation

An attacker with network access to the PLC's communication channel (typically FINS port 9600) can passively capture legitimate traffic between the PLC and controller. No authentication or user interaction is required. The attacker then replays the captured requests to trigger unintended operations. The skill level required is low, as the attack does not require decryption or sophisticated techniques [1].

Impact

Successful exploitation allows an attacker to send commands that appear to originate from an authorized user, enabling control over industrial valves. This can lead to physical damage, safety hazards, or disruption of critical manufacturing processes. The impact affects integrity and availability of the system, with a CVSS v3 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H) [1].

Mitigation

No firmware fix has been released for this vulnerability. Omron recommends filtering access to the FINS port (default 9600) using a firewall and restricting IP addresses of devices connected to the PLC. CISA advises users to implement network segmentation and monitor for anomalous traffic. As of the advisory date (December 2019), no patched version is available [1].