Cyber Resilience

CVE-2022-21137

High

Published: 14 January 2022

Published
14 January 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0071 72.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21137 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Omron Cx-One. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 27.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Omron CX-One versions 4.60 and earlier contain a stack-based buffer overflow vulnerability, tracked as CVE-2022-21137 and also associated with CWE-121 and CWE-787. The flaw is triggered during processing of specially crafted project files and carries a CVSS 3.1 score of 7.8 reflecting local access, low attack complexity, no required privileges, and required user interaction.

An attacker can supply a malicious project file that, once opened by a victim, allows arbitrary code execution with impacts to confidentiality, integrity, and availability. The attack vector is local and does not require elevated privileges beyond the ability to induce the target to load the file.

Public advisories addressing the issue have been published by CISA (ICSA-22-006-01) and the Zero Day Initiative (ZDI-22-373 and ZDI-22-374).

EPSS for the CVE rose from a low baseline to a peak of 0.0609 on 2025-01-22 before receding to the current value of 0.0071, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Omron CX-One Versions 4.60 and prior are vulnerable to a stack-based buffer overflow while processing specific project files, which may allow an attacker to execute arbitrary code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

omron
cx-one
≤ 4.60

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References