Published:2025/02/17 Last Updated:2025/02/17
JVNVU#92320053
Out-of-bounds read vulnerability in OMRON CX-Programmer
Overview
OMRON CX-Programmer contains an out-of-bounds read vulnerability.
Products Affected
- CX-Programmer(*1)
- CX-One Ver.4 (CXONE-AL[][]D-V4) Ver.9.83 and earlier
Refer to "About CX-Programmer" in "Technical Specifications" of the manual below to check the affected products and versions.
- CX-Programmer Ver.9.[] Operation Manual (W446)
Description
CX-Programmer provided by OMRON Corporation contains an out-of-bounds read vulnerability (CWE-125, CVE-2025-0591).
Impact
Having a user open a specially crafted file may lead to information disclosure and/or crash of the affected product.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released the below version which addresses the vulnerability.
- CX-Programmer
- CX-One Ver.4 (CXONE-AL[][]D-V4) Ver.9.84 or later
Vendor Status
| Vendor | Link |
| OMRON Corporation | Out-of-bounds Read vulnerability in CX-Programmer |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score:
7.8
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.