Inductive Automation Ignition Software Deserialization of Untrusted Data

Summary

CVECVE-2025-13913
StatePUBLISHED
Assignericscert
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-03-12 19:16:14 UTC
Updated2026-06-05 19:40:45 UTC
DescriptionA privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.

Risk And Classification

Primary CVSS: v4.0 5.4 MEDIUM from [email protected]

CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.000120000 probability, percentile 0.017230000 (date 2026-06-11)

Problem Types: CWE-502 | CWE-502 CWE-502


VersionSourceTypeScoreSeverityVector
4.0[email protected]Secondary5.4MEDIUMCVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/C...
4.0CNACVSS5.4MEDIUMCVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
3.1[email protected]Primary6.8MEDIUMCVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
3.1[email protected]Secondary6.3MEDIUMCVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
3.1CNACVSS6.3MEDIUMCVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0 Breakdown

Attack Vector
Adjacent
Attack Complexity
High
Attack Requirements
None
Privileges Required
High
User Interaction
Active
Confidentiality
High
Integrity
High
Availability
High
Sub Conf.
Low
Sub Integrity
Low
Sub Availability
Low

CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1 Breakdown

Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Inductiveautomation Ignition All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Inductive Automation Ignition Software affected 8.3.0 custom Not specified
CNA Inductive Automation Ignition Software unaffected 8.3.0 Not specified

References

ReferenceSourceLinkTags
inductiveautomation.com/resources/article/ignition-security-hardening-guide [email protected] inductiveautomation.com Issue Tracking
www.cisa.gov/news-events/ics-advisories/icsa-26-071-06 [email protected] www.cisa.gov Third Party Advisory, VDB Entry
github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-07... [email protected] github.com Issue Tracking
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation. (en)

Additional Advisory Data

Solutions

CNA: Upgrade Ignition software from 8.1.x to 8.3.0 or greater.

Workarounds

CNA: MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide Appendix A. https://inductiveautomation.com/resources/article/ignition-security-hardening-guide

CNA: MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide Appendix A.  * Create a new dedicated local Windows account that will be used exclusively for the Ignition service (e.g. svc-ign). a. The best security practice is that the Ignition service should not be a domain account (unless otherwise needed). b. Remove all group memberships from the service account (including Users and Administrators). c. Add to security policy to log in as a service. d. Add to "Deny log on locally" security policy.  * Provide full read/write access only to the Ignition installation directory for the service account created in #1. a. Add read/write permissions to other directories in the local filesystem as needed (e.g.: if configured to use optional Enterprise Administration Module to write automated backups to the file system).  * Set deny access settings for service account on other directories not needed by the Ignition service. a. Specifically the C:\Windows, C:\Users, and directories for any other applications in the Program Files or Program Files(x86) directories. b. Use java param to change temp directory to a location within the Ignition install directory so the Users folder can be denied access to the Ignition service account. * Restrict project imports to verified and trusted sources only, ideally using checksums or digital signatures. * Use multiple environments (e.g. Dev, Test, Prod) with a staging workflow so that new data is never introduced directly to  production environments. See Ignition Deployment Best Practices. * When feasible, segment or isolate Ignition gateways from corporate resources and Windows Domains.a. The Ignition service account or AD server object should never need Windows Domain or Windows Active Directory privileges. This would only be needed if an Asset Owners IT or OT department uses this for management outside Ignition.b. Ignition may be federated with Active Directory environments (e.g. OT domains) by entering "Authentication Profile" credentials within the Ignition gateway itself. This could use secure LDAP, SAML, or OpenID Connect. * When feasible, enforce strong credential management and MFA for all users with Designer permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and Config Write permissions (8.3.x). * When feasible, deploy Ignition within hardened or containerized environments.

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report