Heap-based buffer overflow vulnerability in OMRON CX-Drive


CX-Drive provided by OMRON Corporation contains a heap-based buffer overflow vulnerability (CWE-122, CVE-2023-27385).

Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products

OMRON Corporation
  • CX-Drive All models all versions

To check the product names and versions, refer to the manual "CX-Drive Operation User's Manual (W453-E1) " provided by the developer.

By having a user open a specially crafted SDD file, arbitrary code may be executed and/or information may be disclosed.

[Apply Workarounds]
Applying the workarounds may mitigate the impacts of this vulnerability.
For the details of the workarounds, refer to the information provided by the developer under [Vendor Status] section.

Vendor Information

OMRON Corporation
CWE (What is CWE?)

  1. Heap-based Buffer Overflow(CWE-122) [Other]
CVE (What is CVE?)

  1. CVE-2023-27385

  1. JVN : JVNVU#97372625
Revision History

  • [2023/04/25]
      Web page was published
  • [2023/08/02]
      Affected Products : Product version was modified