CVE-2019-18261

Vulnerability

Omron PLC CS series, CJ series, and NJ series — all versions — lack proper restrictions on the number of authentication attempts within a short time frame. The affected FTP interface does not implement rate limiting or account lockout mechanisms, leaving the system susceptible to automated brute-force attacks. This weakness is cataloged as an improper restriction of excessive authentication attempts [1].

Exploitation

An unauthenticated attacker with network access to the PLC’s FTP port (default TCP 21) can launch repeated login attempts without any rate-limiting or lockout countermeasures. The attack requires only low skill and can be performed remotely; no prior authentication or user interaction is needed. The attacker simply enumerates username/password pairs until valid credentials are found [1].

Impact

Successful exploitation grants the attacker unauthorized access to the FTP interface of the targeted Omron PLC. With FTP access, the attacker can read, modify, or delete files on the controller, potentially disrupting operations, stealing intellectual property, or causing denial of service. The compromise gives the attacker the same privileges as the FTP user, typically with control over firmware and configuration files [1].

Mitigation

Omron recommends several mitigations: filter FTP port access via firewalls, block remote access to TCP port 21, restrict connections by IP address, and enforce strong passwords. Users should also isolate PLC networks from the internet and use VPNs for remote access. No software fix is mentioned in the available references; the advisory is dated 2019-12-16 and no coordinated release of a patched firmware version is reported. The vulnerability is not known to be exploited in the wild per CISA [1].