Published:2025/07/14  Last Updated:2025/07/14

JVNVU#96149970
Least Privilege Violation Vulnerability in the communications functions of NJ/NX series Machine Automation Controllers

Overview

Least privilege violation vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software provided by OMRON Corporation.

Products Affected

  • Machine Automation Controller NJ-series
    • NJ101-[][][][] Ver.1.67.00 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NJ301-1[]00 Ver.1.67.00 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NJ501-1[]00 Ver.1.67.02 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NJ501-1[]20 Ver.1.68.01 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NJ501-1340 Ver.1.67.00 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NJ501-4[][][] Ver.1.67.00 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NJ501-5300 Ver.1.67.01 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NJ501-R[]00 Ver.1.67.01 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NJ501-R[]20 Ver.1.67.00 or lower
      • Lot No. Until 13725 (July 13, 2025)
  • Machine Automation Controller NX-series
    • NX102-[][][][] Ver.1.68.01 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NX1P2-[][][][][][] Ver.1.64.09 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NX1P2-[][][][][][]1 Ver.1.64.09 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NX502-[][][][] Ver.1.68.01 or lower
      • Lot No. Until 13725 (July 13, 2025)
    • NX701-[][][][] Ver.1.35.09 or lower
      • Lot No. Until 13725 (July 13, 2025)
  • Sysmac Studio Software
    • SYSMAC-SE2[][][]
      • All versions
As for the details of how to check the versions and/or Lot No., refer to the information provided by the developer.

Description

Least privilege violation vulnerability (CWE-272) exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software provided by OMRON Corporation.

  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Base Score 7.0
  • CVE-2025-1384

Impact

A remote unauthenticated attacker may access the affected products and perform arbitrary operations.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer and set the secure communication version 2.
As for the details of how to obtain and apply updates, refer to the information provided by the developer.

Apply the workaround
The developer recommends that the users should apply the following workaround.

  • Use the secure communication function (Implemented in the specific products)
  • Restrict access to the products
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Link
OMRON Corporation Least Privilege Violation Vulnerability in the communications functions of NJ/NX-series Machine Automation Controllers

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia