CRITICAL🇵🇱 Wersja polska

CVE-2023-39476

CVSS 9.8v3.1pub. 2024-05-03upd. 2025-03-12

Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the JavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20291.

🤖 AI Analysis
How it works

The vulnerability lies in the JavaSerializationCodec class, which does not perform proper validation of user-supplied data. An attacker can send a crafted payload containing malicious serialized Java objects that will be deserialized by the application without appropriate security controls. As a result of this process (deserialization of untrusted data), arbitrary code execution is possible in the context of the SYSTEM account on the targeted machine.

Impact

The attacker gains the ability to execute arbitrary code with SYSTEM privileges, which means complete control over the operating system, including data access, the ability to install malicious software, and lateral movement across the network.

Mitigation & patch

Apply patches available from the vendor in accordance with the references (https://www.zerodayinitiative.com/advisories/ZDI-23-1046/). Additionally, it is recommended to restrict network access to Ignition instances only to trusted hosts and to implement network segmentation in OT/SCADA environments.

Who is affected

Inductive Automation Ignition — versions indicated in the vendor's references (ZDI-CAN-20291 / ZDI-23-1046)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Inductiveautomation Ignition

    APP
    Inductiveautomation
    8.1.0 – 8.1.35 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2023-39475CRITICAL9.8PL ✓ten sam produkt

RCE przez deserializację w Inductive Automation Ignition (ParameterVersionJavaSerializationCodec)

CVE-2023-38121CRITICAL9.0PL ✓ten sam produkt

XSS do RCE w Inductive Automation Ignition OPC UA Quick Client

CVE-2022-35869CRITICAL9.8ten sam produkt

This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Aut...

CVE-2022-35890CRITICAL9.8ten sam produkt

An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vis...

CVE-2023-38122HIGH7.2ten sam produkt

Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnera...