CVE-2022-21137
Published: 14 January 2022
Summary
CVE-2022-21137 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Omron Cx-One. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 27.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Omron CX-One versions 4.60 and earlier contain a stack-based buffer overflow vulnerability, tracked as CVE-2022-21137 and also associated with CWE-121 and CWE-787. The flaw is triggered during processing of specially crafted project files and carries a CVSS 3.1 score of 7.8 reflecting local access, low attack complexity, no required privileges, and required user interaction.
An attacker can supply a malicious project file that, once opened by a victim, allows arbitrary code execution with impacts to confidentiality, integrity, and availability. The attack vector is local and does not require elevated privileges beyond the ability to induce the target to load the file.
Public advisories addressing the issue have been published by CISA (ICSA-22-006-01) and the Zero Day Initiative (ZDI-22-373 and ZDI-22-374).
EPSS for the CVE rose from a low baseline to a peak of 0.0609 on 2025-01-22 before receding to the current value of 0.0071, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-26384
Vulnerability details
Omron CX-One Versions 4.60 and prior are vulnerable to a stack-based buffer overflow while processing specific project files, which may allow an attacker to execute arbitrary code.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.