CVE-2022-33208
Description
A remote attacker can replay captured communication between OMRON controllers and software to bypass authentication and access the controller without credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote attacker can replay captured communication between OMRON controllers and software to bypass authentication and access the controller without credentials.
Vulnerability
An authentication bypass by capture-replay vulnerability (CWE-294) exists in the communication function of OMRON Machine automation controller NJ series (all models V1.48 and earlier), NX7 series (all models V1.28 and earlier), NX1 series (all models V1.48 and earlier), Automation software 'Sysmac Studio' (all models V1.49 and earlier), and Programmable Terminal (PT) NA series (NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier) [1]. The flaw affects the protocol used between the controller and Sysmac Studio or a PT.
Exploitation
An attacker must be able to capture network traffic between the affected controller and Sysmac Studio or a PT. The attacker then replays the captured authentication sequence to impersonate a legitimate client. No prior authentication or user interaction is required beyond passively recording traffic; however, the attack complexity is rated High by the CVSS vector (AC:H), suggesting that timing or session-specific data may increase difficulty [1].
Impact
Successful exploitation allows a remote attacker to bypass authentication and gain access to the controller. The CVSS v3 base score is 7.5, with impacts of High confidentiality, High integrity, and High availability [1]. The attacker can fully compromise the controller after replaying the captured communication, without needing valid credentials.
Mitigation
OMRON has released firmware updates for affected products. Users should apply the latest versions as described in OMRON's advisory. No workaround is provided in the available references [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory publication.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=1.49
- OMRON Corporation/Machine automation controller NJ series, Machine automation controller NX series, Automation software 'Sysmac Studio', and Programmable Terminal (PT) NA seriesv5Range: Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- jvn.jp/en/vu/JVNVU97050784/index.htmlmitrex_refsource_MISC
- www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.