Vendor: Omron Automation

Software: CX-Server 5.0.15.5

Platform: Windows 10

Technical details:

-A DLL hijack of cxconfig.dll (default location: C:\Program Files (x86)\OMRON\CX-One\CX-Server\cxconfig.dll) may result in arbitrary code execution by each of the following program components:

~CDMDDE.EXE

~CDMIMPRT.EXE

~DataCollect.exe

Each of the above software components will execute arbitrary code without error or warning, potentially providing remote access to the affected machine with privileges inherited by the original binary.

Sample exploit code is available here:

Remote access to the affected machine can be obtained by following the procedure below.:

Replace cxconfig.dll with the sample binary. Open a listener at 172.16.38.162:8443. Execute the software components listed above.

Omron’s first reply to this advisory:

Omron’s second reply (after being reminded that their first reply was unacceptable):

Hey Omron: