CVE-2019-18259

Vulnerability

Omron CJ series (all versions), CS series (all versions), and NX1P2 series (all versions) programmable logic controllers (PLCs) are affected by three distinct vulnerabilities: authentication bypass by spoofing, authentication bypass by capture-replay, and an unrestricted externally accessible lock (CWE-412, CVE-2019-18269) [1]. The FINS protocol (default port 9600) lacks sufficient authentication, allowing an attacker to bypass security checks and send arbitrary messages to the PLC as if from an authorized user.

Exploitation

An unauthenticated attacker with network access to the affected PLC can exploit these vulnerabilities remotely with low skill level [1]. By sending specially crafted FINS packets or capturing and replaying legitimate commands, the attacker can spoof arbitrary messages to the device. No user interaction or special privileges are required. The attacker only needs network connectivity to the PLC’s FINS port.

Impact

Successful exploitation enables the attacker to pose as an authorized user, read status information (confidentiality impact: low), modify configuration or send commands (integrity impact: low), and potentially cause denial-of-service conditions (availability impact: high) [1]. The overall CVSS v3 base score is 8.6, reflecting the high availability impact and ease of remote exploitation.

Mitigation

Omron recommends filtering access to the FINS port (default 9600) using a firewall and blocking unnecessary remote access. Additionally, IP address filtering should be applied to restrict connections to authorized devices only [1]. As of the published advisory (Update B, November 29, 2022), these workarounds are the primary mitigations; no firmware patch is specified for the affected PLC series. Organizations should follow CISA guidance to minimize risk, including network segmentation and restricting external access to critical control networks.