cvelistv5 - cve-2025-13911

CVE-2025-13911 (GCVE-0-2025-13911)

Vulnerability from cvelistv5 – Published: 2025-12-18 20:24 – Updated: 2025-12-18 20:45

Title

Inductive Automation Ignition Execution with Unnecessary Privileges

Summary

The vulnerability affects Ignition SCADA applications where Python scripting is utilized for automation purposes. The vulnerability arises from the absence of proper security controls that restrict which Python libraries can be imported and executed within the scripting environment. The core issue lies in the Ignition service account having system permissions beyond what an Ignition privileged user requires. When an authenticated administrator uploads a malicious project file containing Python scripts with bind shell capabilities, the application executes these scripts with the same privileges as the Ignition Gateway process, which typically runs with SYSTEM-level permissions on Windows. Alternative code execution patterns could lead to similar results.

Severity ?

6.4 (Medium)


                        
                          CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

7.3 (High)


                        
                          CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-250

Assigner

icscert

References

URL

Tags

	https://security.inductiveautomation.com/
	https://www.cisa.gov/news-events/ics-advisories/i…
	https://github.com/cisagov/CSAF/blob/develop/csaf…

Impacted products

	Vendor	Product	Version
	Inductive Automation	Ignition	Affected: 8.1.x Affected: 8.3.x

Credits

Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13911",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-18T20:44:32.471219Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-18T20:45:07.276Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Ignition",
          "vendor": "Inductive Automation",
          "versions": [
            {
              "status": "affected",
              "version": "8.1.x"
            },
            {
              "status": "affected",
              "version": "8.3.x"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vulnerability affects Ignition SCADA applications where Python \nscripting is utilized for automation purposes. The vulnerability arises \nfrom the absence of proper security controls that restrict which Python \nlibraries can be imported and executed within the scripting environment.\n The core issue lies in the Ignition service account having system \npermissions beyond what an Ignition privileged user requires. When an \nauthenticated administrator uploads a malicious project file containing \nPython scripts with bind shell capabilities, the application executes \nthese scripts with the same privileges as the Ignition Gateway process, \nwhich typically runs with SYSTEM-level permissions on Windows. \nAlternative code execution patterns could lead to similar results.\n\n\u003cbr\u003e"
            }
          ],
          "value": "The vulnerability affects Ignition SCADA applications where Python \nscripting is utilized for automation purposes. The vulnerability arises \nfrom the absence of proper security controls that restrict which Python \nlibraries can be imported and executed within the scripting environment.\n The core issue lies in the Ignition service account having system \npermissions beyond what an Ignition privileged user requires. When an \nauthenticated administrator uploads a malicious project file containing \nPython scripts with bind shell capabilities, the application executes \nthese scripts with the same privileges as the Ignition Gateway process, \nwhich typically runs with SYSTEM-level permissions on Windows. \nAlternative code execution patterns could lead to similar results."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-250",
              "description": "CWE-250",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-18T20:24:30.118Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://security.inductiveautomation.com/"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-01"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-01.json"
        }
      ],
      "source": {
        "advisory": "ICSA-25-352-01",
        "discovery": "EXTERNAL"
      },
      "title": "Inductive Automation Ignition Execution with Unnecessary Privileges",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eInductive Automation encourages users to do the following in order to reduce the risk of this vulnerability:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCreate a new dedicated local Windows account that will be used \nexclusively for the Ignition service (e.g. svc-ign) (this should not be a\n domain account).\u003c/li\u003e\n\u003cli\u003eRemove all group memberships from the service account (including Users and Administrators). \u003c/li\u003e\n\u003cli\u003eAdd to security policy to log in as a service.\u003c/li\u003e\n\u003cli\u003eAdd to \u201cDeny log on locally\u201d security policy.\u003c/li\u003e\n\u003cli\u003eProvide full read/write access only to the Ignition installation directory for the service account created in step 1.\u003c/li\u003e\n\u003cli\u003eAdd read/write permissions to other directories in the local \nfilesystem as needed (e.g: if configured to use optional Enterprise \nAdministration Module to write automated backups to the file system). \u003c/li\u003e\n\u003cli\u003eSet deny access settings for service account on other directories not needed by the Ignition service.\u003c/li\u003e\n\u003cli\u003eSpecifically the C:\\Windows, C:\\Users, and directories for any other\n applications in the Program Files or Program Files(x86) directories.\u003c/li\u003e\n\u003cli\u003eUse java param to change temp directory to a location within the \nIgnition install directory so the Users folder can be denied access to \nthe Ignition service account.\u003c/li\u003e\n\u003cli\u003eRestrict project imports to verified and trusted sources only, ideally using checksums or digital signatures.\u003c/li\u003e\n\u003cli\u003eUse multiple environments (e.g. Dev, Test, Prod) with a staging \nworkflow so that new data is never introduced directly to Production \nenvironments. See Ignition Deployment Best Practices. \u003c/li\u003e\n\u003cli\u003eWhen feasible, segment or isolate Ignition gateways from corporate resources and Windows Domains. \u003c/li\u003e\n\u003cli\u003eThe Ignition service account or AD server object should never need \nWindows Domain or Windows Active Directory privileges. This would only \nbe needed if an Asset Owners IT or OT department uses this for \nmanagement outside Ignition. \u003c/li\u003e\n\u003cli\u003eIgnition may be federated with Active Directory environments (e.g. \nOT domains) by entering \u201cAuthentication Profile\u201d credentials within the \nIgnition gateway itself. This could use secure LDAP, SAML, or OpenID \nConnect.  \u003c/li\u003e\n\u003cli\u003eWhen feasible, enforce strong credential management and MFA for all \nusers with Designer permissions (8.1.x and 8.3.x), Config Page \npermissions (8.1.x), and Config Write permissions (8.3.x).\u003c/li\u003e\n\u003cli\u003eWhen feasible, deploy Ignition within hardened or containerized environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor more information and updates, users should refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.inductiveautomation.com\"\u003eInductive Automation\u0027s Trust Portal\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Inductive Automation encourages users to do the following in order to reduce the risk of this vulnerability:\n\n\n\n  *  Create a new dedicated local Windows account that will be used \nexclusively for the Ignition service (e.g. svc-ign) (this should not be a\n domain account).\n\n  *  Remove all group memberships from the service account (including Users and Administrators). \n\n  *  Add to security policy to log in as a service.\n\n  *  Add to \u201cDeny log on locally\u201d security policy.\n\n  *  Provide full read/write access only to the Ignition installation directory for the service account created in step 1.\n\n  *  Add read/write permissions to other directories in the local \nfilesystem as needed (e.g: if configured to use optional Enterprise \nAdministration Module to write automated backups to the file system). \n\n  *  Set deny access settings for service account on other directories not needed by the Ignition service.\n\n  *  Specifically the C:\\Windows, C:\\Users, and directories for any other\n applications in the Program Files or Program Files(x86) directories.\n\n  *  Use java param to change temp directory to a location within the \nIgnition install directory so the Users folder can be denied access to \nthe Ignition service account.\n\n  *  Restrict project imports to verified and trusted sources only, ideally using checksums or digital signatures.\n\n  *  Use multiple environments (e.g. Dev, Test, Prod) with a staging \nworkflow so that new data is never introduced directly to Production \nenvironments. See Ignition Deployment Best Practices. \n\n  *  When feasible, segment or isolate Ignition gateways from corporate resources and Windows Domains. \n\n  *  The Ignition service account or AD server object should never need \nWindows Domain or Windows Active Directory privileges. This would only \nbe needed if an Asset Owners IT or OT department uses this for \nmanagement outside Ignition. \n\n  *  Ignition may be federated with Active Directory environments (e.g. \nOT domains) by entering \u201cAuthentication Profile\u201d credentials within the \nIgnition gateway itself. This could use secure LDAP, SAML, or OpenID \nConnect.  \n\n  *  When feasible, enforce strong credential management and MFA for all \nusers with Designer permissions (8.1.x and 8.3.x), Config Page \npermissions (8.1.x), and Config Write permissions (8.3.x).\n\n  *  When feasible, deploy Ignition within hardened or containerized environments.\n\n\nFor more information and updates, users should refer to  Inductive Automation\u0027s Trust Portal https://security.inductiveautomation.com ."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-13911",
    "datePublished": "2025-12-18T20:24:30.118Z",
    "dateReserved": "2025-12-02T17:14:36.352Z",
    "dateUpdated": "2025-12-18T20:45:07.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-13911\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-12-18T21:15:52.073\",\"lastModified\":\"2025-12-19T18:00:18.330\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The vulnerability affects Ignition SCADA applications where Python \\nscripting is utilized for automation purposes. The vulnerability arises \\nfrom the absence of proper security controls that restrict which Python \\nlibraries can be imported and executed within the scripting environment.\\n The core issue lies in the Ignition service account having system \\npermissions beyond what an Ignition privileged user requires. When an \\nauthenticated administrator uploads a malicious project file containing \\nPython scripts with bind shell capabilities, the application executes \\nthese scripts with the same privileges as the Ignition Gateway process, \\nwhich typically runs with SYSTEM-level permissions on Windows. \\nAlternative code execution patterns could lead to similar results.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.5,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-250\"}]}],\"references\":[{\"url\":\"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-01.json\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://security.inductiveautomation.com/\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-01\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-13911\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-18T20:44:32.471219Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-18T20:44:59.392Z\"}}], \"cna\": {\"title\": \"Inductive Automation Ignition Execution with Unnecessary Privileges\", \"source\": {\"advisory\": \"ICSA-25-352-01\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Inductive Automation\", \"product\": \"Ignition\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.1.x\"}, {\"status\": \"affected\", \"version\": \"8.3.x\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://security.inductiveautomation.com/\"}, {\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-01\"}, {\"url\": \"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-01.json\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Inductive Automation encourages users to do the following in order to reduce the risk of this vulnerability:\\n\\n\\n\\n  *  Create a new dedicated local Windows account that will be used \\nexclusively for the Ignition service (e.g. svc-ign) (this should not be a\\n domain account).\\n\\n  *  Remove all group memberships from the service account (including Users and Administrators). \\n\\n  *  Add to security policy to log in as a service.\\n\\n  *  Add to \\u201cDeny log on locally\\u201d security policy.\\n\\n  *  Provide full read/write access only to the Ignition installation directory for the service account created in step 1.\\n\\n  *  Add read/write permissions to other directories in the local \\nfilesystem as needed (e.g: if configured to use optional Enterprise \\nAdministration Module to write automated backups to the file system). \\n\\n  *  Set deny access settings for service account on other directories not needed by the Ignition service.\\n\\n  *  Specifically the C:\\\\Windows, C:\\\\Users, and directories for any other\\n applications in the Program Files or Program Files(x86) directories.\\n\\n  *  Use java param to change temp directory to a location within the \\nIgnition install directory so the Users folder can be denied access to \\nthe Ignition service account.\\n\\n  *  Restrict project imports to verified and trusted sources only, ideally using checksums or digital signatures.\\n\\n  *  Use multiple environments (e.g. Dev, Test, Prod) with a staging \\nworkflow so that new data is never introduced directly to Production \\nenvironments. See Ignition Deployment Best Practices. \\n\\n  *  When feasible, segment or isolate Ignition gateways from corporate resources and Windows Domains. \\n\\n  *  The Ignition service account or AD server object should never need \\nWindows Domain or Windows Active Directory privileges. This would only \\nbe needed if an Asset Owners IT or OT department uses this for \\nmanagement outside Ignition. \\n\\n  *  Ignition may be federated with Active Directory environments (e.g. \\nOT domains) by entering \\u201cAuthentication Profile\\u201d credentials within the \\nIgnition gateway itself. This could use secure LDAP, SAML, or OpenID \\nConnect.  \\n\\n  *  When feasible, enforce strong credential management and MFA for all \\nusers with Designer permissions (8.1.x and 8.3.x), Config Page \\npermissions (8.1.x), and Config Write permissions (8.3.x).\\n\\n  *  When feasible, deploy Ignition within hardened or containerized environments.\\n\\n\\nFor more information and updates, users should refer to  Inductive Automation\u0027s Trust Portal https://security.inductiveautomation.com .\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eInductive Automation encourages users to do the following in order to reduce the risk of this vulnerability:\u003c/p\u003e\\n\u003col\u003e\\n\u003cli\u003eCreate a new dedicated local Windows account that will be used \\nexclusively for the Ignition service (e.g. svc-ign) (this should not be a\\n domain account).\u003c/li\u003e\\n\u003cli\u003eRemove all group memberships from the service account (including Users and Administrators). \u003c/li\u003e\\n\u003cli\u003eAdd to security policy to log in as a service.\u003c/li\u003e\\n\u003cli\u003eAdd to \\u201cDeny log on locally\\u201d security policy.\u003c/li\u003e\\n\u003cli\u003eProvide full read/write access only to the Ignition installation directory for the service account created in step 1.\u003c/li\u003e\\n\u003cli\u003eAdd read/write permissions to other directories in the local \\nfilesystem as needed (e.g: if configured to use optional Enterprise \\nAdministration Module to write automated backups to the file system). \u003c/li\u003e\\n\u003cli\u003eSet deny access settings for service account on other directories not needed by the Ignition service.\u003c/li\u003e\\n\u003cli\u003eSpecifically the C:\\\\Windows, C:\\\\Users, and directories for any other\\n applications in the Program Files or Program Files(x86) directories.\u003c/li\u003e\\n\u003cli\u003eUse java param to change temp directory to a location within the \\nIgnition install directory so the Users folder can be denied access to \\nthe Ignition service account.\u003c/li\u003e\\n\u003cli\u003eRestrict project imports to verified and trusted sources only, ideally using checksums or digital signatures.\u003c/li\u003e\\n\u003cli\u003eUse multiple environments (e.g. Dev, Test, Prod) with a staging \\nworkflow so that new data is never introduced directly to Production \\nenvironments. See Ignition Deployment Best Practices. \u003c/li\u003e\\n\u003cli\u003eWhen feasible, segment or isolate Ignition gateways from corporate resources and Windows Domains. \u003c/li\u003e\\n\u003cli\u003eThe Ignition service account or AD server object should never need \\nWindows Domain or Windows Active Directory privileges. This would only \\nbe needed if an Asset Owners IT or OT department uses this for \\nmanagement outside Ignition. \u003c/li\u003e\\n\u003cli\u003eIgnition may be federated with Active Directory environments (e.g. \\nOT domains) by entering \\u201cAuthentication Profile\\u201d credentials within the \\nIgnition gateway itself. This could use secure LDAP, SAML, or OpenID \\nConnect.  \u003c/li\u003e\\n\u003cli\u003eWhen feasible, enforce strong credential management and MFA for all \\nusers with Designer permissions (8.1.x and 8.3.x), Config Page \\npermissions (8.1.x), and Config Write permissions (8.3.x).\u003c/li\u003e\\n\u003cli\u003eWhen feasible, deploy Ignition within hardened or containerized environments.\u003c/li\u003e\\n\u003c/ol\u003e\\n\u003cp\u003eFor more information and updates, users should refer to \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://security.inductiveautomation.com\\\"\u003eInductive Automation\u0027s Trust Portal\u003c/a\u003e.\u003c/p\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The vulnerability affects Ignition SCADA applications where Python \\nscripting is utilized for automation purposes. The vulnerability arises \\nfrom the absence of proper security controls that restrict which Python \\nlibraries can be imported and executed within the scripting environment.\\n The core issue lies in the Ignition service account having system \\npermissions beyond what an Ignition privileged user requires. When an \\nauthenticated administrator uploads a malicious project file containing \\nPython scripts with bind shell capabilities, the application executes \\nthese scripts with the same privileges as the Ignition Gateway process, \\nwhich typically runs with SYSTEM-level permissions on Windows. \\nAlternative code execution patterns could lead to similar results.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The vulnerability affects Ignition SCADA applications where Python \\nscripting is utilized for automation purposes. The vulnerability arises \\nfrom the absence of proper security controls that restrict which Python \\nlibraries can be imported and executed within the scripting environment.\\n The core issue lies in the Ignition service account having system \\npermissions beyond what an Ignition privileged user requires. When an \\nauthenticated administrator uploads a malicious project file containing \\nPython scripts with bind shell capabilities, the application executes \\nthese scripts with the same privileges as the Ignition Gateway process, \\nwhich typically runs with SYSTEM-level permissions on Windows. \\nAlternative code execution patterns could lead to similar results.\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-250\", \"description\": \"CWE-250\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-12-18T20:24:30.118Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-13911\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-18T20:45:07.276Z\", \"dateReserved\": \"2025-12-02T17:14:36.352Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-12-18T20:24:30.118Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-13911

Vulnerability from fkie_nvd - Published: 2025-12-18 21:15 - Updated: 2025-12-19 18:00

Severity ?

6.4 (Medium) - CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	ics-cert@hq.dhs.gov	https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-01.json
	ics-cert@hq.dhs.gov	https://security.inductiveautomation.com/
	ics-cert@hq.dhs.gov	https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-01

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The vulnerability affects Ignition SCADA applications where Python \nscripting is utilized for automation purposes. The vulnerability arises \nfrom the absence of proper security controls that restrict which Python \nlibraries can be imported and executed within the scripting environment.\n The core issue lies in the Ignition service account having system \npermissions beyond what an Ignition privileged user requires. When an \nauthenticated administrator uploads a malicious project file containing \nPython scripts with bind shell capabilities, the application executes \nthese scripts with the same privileges as the Ignition Gateway process, \nwhich typically runs with SYSTEM-level permissions on Windows. \nAlternative code execution patterns could lead to similar results."
    }
  ],
  "id": "CVE-2025-13911",
  "lastModified": "2025-12-19T18:00:18.330",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 5.9,
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "attackVector": "ADJACENT",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-18T21:15:52.073",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-01.json"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://security.inductiveautomation.com/"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-250"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Primary"
    }
  ]
}

ICSA-25-352-01

Vulnerability from csaf_cisa - Published: 2025-12-18 07:00 - Updated: 2025-12-18 07:00

Summary

Inductive Automation Ignition

Notes

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker to be granted direct SYSTEM-level code execution on the host operating system running the Ignition Gateway service on Windows systems.

Critical infrastructure sectors

Critical Manufacturing, Energy, Information Technology

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Recommended Practices

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Recommended Practices

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

Recommended Practices

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Recommended Practices

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Recommended Practices

Do not click web links or open attachments in unsolicited email messages.

Recommended Practices

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.

Recommended Practices

Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Recommended Practices

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Momen Eldawakhly"
        ],
        "organization": "Samurai Digital Security Ltd",
        "summary": "reported this vulnerability to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy \u0026 Use policy (https://www.cisa.gov/privacy-policy).",
        "title": "Legal Notice and Terms of Use"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker to be granted direct SYSTEM-level code execution on the host operating system running the Ignition Gateway service on Windows systems.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Critical Manufacturing, Energy, Information Technology",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Locate control system networks and remote devices behind firewalls and isolating them from business networks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Do not click web links or open attachments in unsolicited email messages.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-25-352-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2025/icsa-25-352-01.json"
      },
      {
        "category": "self",
        "summary": "ICSA Advisory ICSA-25-352-01 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/news/targeted-cyber-intrusion-detection-and-mitigation-strategies-update-b"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks"
      }
    ],
    "title": "Inductive Automation Ignition",
    "tracking": {
      "current_release_date": "2025-12-18T07:00:00.000000Z",
      "generator": {
        "date": "2025-12-17T22:49:08.145816Z",
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-25-352-01",
      "initial_release_date": "2025-12-18T07:00:00.000000Z",
      "revision_history": [
        {
          "date": "2025-12-18T07:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Initial Publication"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "8.1.x|8.3.x",
                "product": {
                  "name": "Inductive Automation Ignition: 8.1.x|8.3.x",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Ignition"
          }
        ],
        "category": "vendor",
        "name": "Inductive Automation"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-13911",
      "cwe": {
        "id": "CWE-250",
        "name": "Execution with Unnecessary Privileges"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The vulnerability affects Ignition SCADA applications where Python scripting is utilized for automation purposes. The vulnerability arises from the absence of proper security controls that restrict which Python libraries can be imported and executed within the scripting environment. The core issue lies in the Ignition service account having system permissions beyond what an Ignition privileged user requires.  When an authenticated administrator uploads a malicious project file containing Python scripts with bind shell capabilities, the application executes these scripts with the same privileges as the Ignition Gateway process, which typically runs with SYSTEM-level permissions on Windows. Alternative code execution patterns could lead to similar results.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-13911"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Inductive Automation encourages users to do the following in order to reduce the risk of this vulnerability:",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information and updates, users should refer to Inductive Automation\u0027s Trust Portal.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://security.inductiveautomation.com"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

GHSA-WMXH-4MGR-2W85

Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-18 21:31

Details

Severity ?

6.4 (Medium)


                  
                    CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

7.3 (High)


                  
                    CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-13911"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T21:15:52Z",
    "severity": "HIGH"
  },
  "details": "The vulnerability affects Ignition SCADA applications where Python \nscripting is utilized for automation purposes. The vulnerability arises \nfrom the absence of proper security controls that restrict which Python \nlibraries can be imported and executed within the scripting environment.\n The core issue lies in the Ignition service account having system \npermissions beyond what an Ignition privileged user requires. When an \nauthenticated administrator uploads a malicious project file containing \nPython scripts with bind shell capabilities, the application executes \nthese scripts with the same privileges as the Ignition Gateway process, \nwhich typically runs with SYSTEM-level permissions on Windows. \nAlternative code execution patterns could lead to similar results.",
  "id": "GHSA-wmxh-4mgr-2w85",
  "modified": "2025-12-18T21:31:43Z",
  "published": "2025-12-18T21:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13911"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-01.json"
    },
    {
      "type": "WEB",
      "url": "https://security.inductiveautomation.com"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-13911 (GCVE-0-2025-13911)

FKIE_CVE-2025-13911

ICSA-25-352-01

GHSA-WMXH-4MGR-2W85

Tags

Sightings

Nomenclature