[Japanese]

JVNDB-2025-008881

Least Privilege Violation Vulnerability in the communications functions of NJ/NX series Machine Automation Controllers

Overview

Least privilege violation vulnerability (CWE-272) exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software provided by OMRON Corporation. - CVE-2025-1384

OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.0 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: High
Affected Products


OMRON Corporation
  • Automation software "Sysmac Studio" SYSMAC-SE2[][][] All versions
  • Machine automation controller NJ series NJ101-[][][][] Ver.1.67.00 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NJ series NJ301-1[]00 Ver.1.67.00 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NJ series NJ501-1[]00 Ver.1.67.02 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NJ series NJ501-1[]20 Ver.1.68.01 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NJ series NJ501-1340 Ver.1.67.00 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NJ series NJ501-4[][][] Ver.1.67.00 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NJ series NJ501-5300 Ver.1.67.01 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NJ series NJ501-R[]00 Ver.1.67.01 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NJ series NJ501-R[]20 Ver.1.67.00 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NX series NX102-[][][][] Ver.1.68.01 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NX series NX1P2-[][][][][][] Ver.1.64.09 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NX series NX1P2-[][][][][][]1 Ver.1.64.09 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NX series NX502-[][][][] Ver.1.68.01 or lower * Lot No. Until 13725 (July 13, 2025)
  • Machine automation controller NX series NX701-[][][][] Ver.1.35.09 or lower * Lot No. Until 13725 (July 13, 2025)

As for the details of how to check the versions and/or Lot No., refer to the information provided by the developer.
Impact

A remote unauthenticated attacker may access the affected products and perform arbitrary operations.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer and set the secure communication version 2.
As for the details of how to obtain and apply updates, refer to the information provided by the developer.

[Apply the workaround]
The developer recommends that the users should apply the following workaround.

* Use the secure communication function (Implemented in the specific products)
* Restrict access to the products

For more information, refer to the information provided by the developer.
Vendor Information

OMRON Corporation
CWE (What is CWE?)

  1. Least Privilege Violation(CWE-272) [Other]
CVE (What is CVE?)

  1. CVE-2025-1384
References

  1. JVN : JVNVU#96149970
Revision History

  • [2025/07/15]
      Web page was published

Date Public2025/07/14
Date First Published2025/07/15
Date Last Updated2025/07/15