Cyber Resilience

CVE-2023-27396

Critical

Published: 19 June 2023

Published
19 June 2023
Modified
24 December 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0167 82.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-27396 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Omron Cp1W-Cif01 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 17.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON products. Multiple OMRON products that implement FINS protocol contain…

more

following security issues -- (1)Plaintext communication, and (2)No authentication required. When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device. Affected products and versions are as follows: SYSMAC CS-series CPU Units, all versions, SYSMAC CJ-series CPU Units, all versions, SYSMAC CP-series CPU Units, all versions, SYSMAC NJ-series CPU Units, all versions, SYSMAC NX1P-series CPU Units, all versions, SYSMAC NX102-series CPU Units, all versions, and SYSMAC NX7 Database Connection CPU Units (Ver.1.16 or later)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

omron
cs1w-eip21 firmware
all versions
omron
cs1w-spu01-v2 firmware
all versions
omron
cs1w-spu02-v2 firmware
all versions
omron
cs1w-etn21 firmware
all versions
omron
cs1w-clk firmware
all versions
omron
cs1w-fln22 firmware
all versions
omron
cs1w-drm21-v1 firmware
all versions
omron
cs1w-nc271 firmware
all versions
omron
cs1w-nc471 firmware
all versions
omron
cs1w-ncf71 firmware
all versions
+261 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-306

Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.

addresses: CWE-306

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-306

Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.

addresses: CWE-306

Guarantees critical functions are protected by mandatory invocation of the access control mechanism.

addresses: CWE-306

Auditing sessions makes it possible to detect access to critical functions without required authentication.

addresses: CWE-306

The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.

addresses: CWE-306

Certification assesses that critical functions have required authentication controls in place.

addresses: CWE-306

Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.

References