{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13913", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-12-02T17:43:55.964Z", "datePublished": "2026-03-12T18:17:22.839Z", "dateUpdated": "2026-03-17T15:29:47.962Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-17T15:29:47.962Z"}, "title": "Inductive Automation Ignition Software Deserialization of Untrusted Data", "datePublic": "2026-03-12T15:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502", "type": "CWE"}]}], "affected": [{"vendor": "Inductive Automation", "product": "Ignition Software", "versions": [{"status": "affected", "version": "0", "lessThan": "8.3.0", "versionType": "custom"}, {"status": "unaffected", "version": "8.3.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span>A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.</span>"}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"}, {"url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"}}], "workarounds": [{"lang": "en", "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide", "supportingMedia": [{"type": "text/html", "base64": false, "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}]}, {"lang": "en", "value": "MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u00a0\n\n * Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u00a0a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u00a0\n * Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u00a0\n * Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\n * Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\n * Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u00a0 \nproduction environments. See Ignition Deployment Best Practices.\n * When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\n * When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\n * When feasible, deploy Ignition \nwithin hardened or containerized environments.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>\nMITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.&nbsp;</div><div><ol><li>Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).&nbsp;a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.&nbsp;</li><li>Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).&nbsp;</li><li>Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.</li><li>Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.</li><li>Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to&nbsp; \nproduction environments. See Ignition Deployment Best Practices.</li><li>When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.</li><li>When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).</li><li>When feasible, deploy Ignition \nwithin hardened or containerized environments.\n\n\n\n<br></li></ol></div>"}]}], "solutions": [{"lang": "en", "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater."}]}], "credits": [{"lang": "en", "value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation.", "type": "finder"}], "source": {"advisory": "ICSA-26-071-06", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:06:06.866760Z", "id": "CVE-2025-13913", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:06:53.296Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13913", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T19:06:06.866760Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:06:39.250Z"}}], "cna": {"title": "Inductive Automation Ignition Software Deserialization of Untrusted Data", "source": {"advisory": "ICSA-26-071-06", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.4, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Inductive Automation", "product": "Ignition Software", "versions": [{"status": "affected", "version": "0", "lessThan": "8.3.0", "versionType": "custom"}, {"status": "unaffected", "version": "8.3.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater.", "supportingMedia": [{"type": "text/html", "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater.", "base64": false}]}], "datePublic": "2026-03-12T15:00:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"}, {"url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}], "workarounds": [{"lang": "en", "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide", "supportingMedia": [{"type": "text/html", "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide", "base64": false}]}, {"lang": "en", "value": "MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u00a0\n\n * Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u00a0a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u00a0\n * Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u00a0\n * Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\n * Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\n * Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u00a0 \nproduction environments. See Ignition Deployment Best Practices.\n * When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\n * When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\n * When feasible, deploy Ignition \nwithin hardened or containerized environments.", "supportingMedia": [{"type": "text/html", "value": "<div>\nMITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.&nbsp;</div><div><ol><li>Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).&nbsp;a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.&nbsp;</li><li>Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).&nbsp;</li><li>Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.</li><li>Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.</li><li>Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to&nbsp; \nproduction environments. See Ignition Deployment Best Practices.</li><li>When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.</li><li>When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).</li><li>When feasible, deploy Ignition \nwithin hardened or containerized environments.\n\n\n\n<br></li></ol></div>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.", "supportingMedia": [{"type": "text/html", "value": "<span>A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-17T15:29:47.962Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13913", "state": "PUBLISHED", "dateUpdated": "2026-03-17T15:29:47.962Z", "dateReserved": "2025-12-02T17:43:55.964Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-03-12T18:17:22.839Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code."}, {"lang": "es", "value": "El Software Ignition de Inductive Automation es vulnerable a una exposici\u00f3n de endpoint de API no autenticado que puede permitir a un atacante cambiar remotamente la direcci\u00f3n de correo electr\u00f3nico de recuperaci\u00f3n de 'olvid\u00e9 mi contrase\u00f1a'."}], "id": "CVE-2025-13913", "lastModified": "2026-03-17T16:16:17.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-03-12T19:16:14.250", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.3.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "8.3.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Ignition Software", "source": "cna", "vendor": "Inductive Automation"}, "product": "ignition", "vendor": "inductiveautomation"}], "analysis": {"en": {"generated_at": "2026-03-17T17:01:01.185153+00:00", "value": {"mitigation_remediation": ["Upgrade Ignition software to version 8.3.0 or greater (official solution).", "Apply the provided workaround by following the Ignition Security Hardening Guide Appendix\u00a0A for Linux and Windows, including creating a dedicated local service account, restricting file system access, and enforcing strong credential management. ", "Restrict project imports to verified and trusted sources only, using checksums or digital signatures. ", "Use separated environments (Dev, Test, Prod) with a staging workflow to prevent new data from entering production immediately. ", "Where feasible, isolate Ignition gateways from corporate resources and Windows domains, configure the service account with the least privileges, and consider deploying Ignition within hardened or containerized environments."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Inductive Automation Ignition Software, specifically versions 8.1.x. The vulnerability is fixed by upgrading to version 8.3.0 or later. Vendors have issued a solution recommending this upgrade.", "description_and_impact": "A privileged Ignition user can import an external file containing specially crafted payload, resulting in execution of embedded malicious code. This deserialization flaw allows an attacker with import privileges to run arbitrary code on the Ignition gateway. The weakness is identified as CWE\u2011502 (Deserialization of Untrusted Data).", "risk_and_exploitability": "The CVSS score is 5.4, indicating a medium severity vulnerability. The EPSS score is below 1%, suggesting the likelihood of exploitation is currently low, and it is not listed in the CISA KEV catalog. The attack vector is inferred as a local privilege escalation scenario, where an attacker must have import rights within the Ignition gateway to exploit the flaw. Because the exploit requires privileged user access, the risk to systems without such access is reduced, but any environment with the ability to import untrusted projects remains at risk."}}}}, "created": "2026-03-13T09:50:28.017420+00:00", "updated": "2026-03-20T15:48:35.463722+00:00", "vendors": ["inductiveautomation", "inductiveautomation$PRODUCT$ignition"]}