CRITICAL🇵🇱 Wersja polska

CVE-2023-39475

CVSS 9.8v3.1pub. 2024-05-03upd. 2025-03-13

Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ParameterVersionJavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20290.

🤖 AI Analysis
How it works

The vulnerability exists in the ParameterVersionJavaSerializationCodec class, which improperly validates user-supplied data before deserialization. An attacker can send a specially crafted payload over the network that will be deserialized without any verification. Code execution occurs in the context of the SYSTEM account, which means the highest privilege level in the Windows operating system.

Impact

The attacker gains the ability to execute arbitrary code with SYSTEM privileges on the targeted machine, resulting in complete system takeover, including data access, software installation, and further lateral movement in the network.

Mitigation & patch

Apply patches available from the vendor according to the references provided. It is also recommended to restrict network access to Ignition installations using a firewall and to segment industrial networks (OT/ICS) to reduce the attack surface until the patch is deployed.

Who is affected

Inductive Automation Ignition — versions indicated in the vendor references and in the ZDI-23-1047 advisory

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Inductiveautomation Ignition

    APP
    Inductiveautomation
    8.1.0 – 8.1.35 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2023-39476CRITICAL9.8PL ✓ten sam produkt

Inductive Automation Ignition — RCE przez deserialization w JavaSerializationCodec

CVE-2023-38121CRITICAL9.0PL ✓ten sam produkt

XSS do RCE w Inductive Automation Ignition OPC UA Quick Client

CVE-2022-35869CRITICAL9.8ten sam produkt

This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Aut...

CVE-2022-35890CRITICAL9.8ten sam produkt

An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vis...

CVE-2023-38122HIGH7.2ten sam produkt

Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnera...