[Japanese]

JVNDB-2025-001562

Out-of-bounds read vulnerability in OMRON CX-Programmer

Overview

CX-Programmer provided by OMRON Corporation contains an out-of-bounds read vulnerability (CWE-125, CVE-2025-0591).

Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products

CX-Programmer (*1)

OMRON Corporation
  • CX-One Ver.4 (CXONE-AL[][]D-V4) Ver.9.83 and earlier

(*1) CX-Programmer is included in CX-One
Refer to "About CX-Programmer" in "Technical Specifications" of the manual below to check the affected products and versions.
  • CX-Programmer Ver.9.[] Operation Manual (W446)
Impact

Having a user open a specially crafted file may lead to information disclosure and/or crash of the affected product.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released the below version which addresses the vulnerability.


  • CX-Programmer

    • CX-One Ver.4 (CXONE-AL[][]D-V4) Ver.9.84 or later



Contact the sales representatives or distributors for the details of how to obtain the update, how to update the product, etc.
Vendor Information

OMRON Corporation
CWE (What is CWE?)

  1. Out-of-bounds Read(CWE-125) [Other]
CVE (What is CVE?)

  1. CVE-2025-0591
References

  1. JVN : JVNVU#92320053
Revision History

  • [2025/02/18]
      Web page was published

Date Public2025/02/17
Date First Published2025/02/18
Date Last Updated2025/02/18