JVNDB-2025-001016

OMRON NJ/NX series vulnerable to path traversal

Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-12083).

OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

OMRON Corporation

• Machine automation controller NJ series NJ101-[][][][], NJ301-[][][][], NJ501-1[]0[] Ver.1.64.05 and earlier, Lot No. 30924 (September 30, 2024) and earlier (*1)
• Machine automation controller NJ series NJ501-1[]2[], NJ501-1340, NJ501-4[][][], NJ501-5300, NJ501-R[][][] Ver.1.64.04 and earlier, Lot No. 30924 (September 30, 2024) and earlier (*1)
• Machine automation controller NX series NX1P2-[][][][][][], NX1P2-[][][][][][]1 Ver.1.64.04 and earlier, Lot No.19Y24 (November 19, 2024) and earlier (*2)

Refer to the developer's advisory "Appendix" section regarding how to check the affected versions.
(*1) Refer to "ID Information Indication" section of the manual "NJ-series CPU unit Hardware User's Manual (W500)" regarding how to check Lot No.
(*2) Refer to "ID Information Indication" section of the manual "NX1P2 CPU Unit User's Manual (Hardware) (W578)" regarding how to check Lot No. As for the details, refer to the information provided by the developer.

An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege.

[Update the software]
Update the software to the latest version according to the information provided by the developer.

As for how to obtain the update or how to apply the update, refer to the information provided by the developer.

OMRON Corporation

• OMRON Corporation : Path Traversal Vulnerabilities in NJ/NX-series Machine Automation Controllers

1. Path Traversal(CWE-22) [Other]

1. CVE-2024-12083

1. JVN : JVNVU#96335720

• [2025/01/15]
    Web page was published