CVE-2025-13913 (GCVE-0-2025-13913)
Vulnerability from cvelistv5
Published
2026-03-12 18:17
Modified
2026-03-17 15:29
Severity ?
5.4 (Medium) - CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
6.3 (Medium) - CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
6.3 (Medium) - CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
Summary
A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Inductive Automation | Ignition Software |
Version: 0 < 8.3.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13913",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T19:06:06.866760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T19:06:53.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ignition Software",
"vendor": "Inductive Automation",
"versions": [
{
"lessThan": "8.3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "8.3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation."
}
],
"datePublic": "2026-03-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eA privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.\u003c/span\u003e"
}
],
"value": "A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T15:29:47.962Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"
},
{
"url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater."
}
],
"value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater."
}
],
"source": {
"advisory": "ICSA-26-071-06",
"discovery": "EXTERNAL"
},
"title": "Inductive Automation Ignition Software Deserialization of Untrusted Data",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide"
}
],
"value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\nMITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003col\u003e\u003cli\u003eCreate a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u0026nbsp;a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u0026nbsp;\u003c/li\u003e\u003cli\u003eProvide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u0026nbsp;\u003c/li\u003e\u003cli\u003eSet deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\u003c/li\u003e\u003cli\u003eRestrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\u003c/li\u003e\u003cli\u003eUse multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u0026nbsp; \nproduction environments. See Ignition Deployment Best Practices.\u003c/li\u003e\u003cli\u003eWhen \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\u003c/li\u003e\u003cli\u003eWhen feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\u003c/li\u003e\u003cli\u003eWhen feasible, deploy Ignition \nwithin hardened or containerized environments.\n\n\n\n\u003cbr\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/div\u003e"
}
],
"value": "MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u00a0\n\n * Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u00a0a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u00a0\n * Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u00a0\n * Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\n * Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\n * Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u00a0 \nproduction environments. See Ignition Deployment Best Practices.\n * When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\n * When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\n * When feasible, deploy Ignition \nwithin hardened or containerized environments."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-13913",
"datePublished": "2026-03-12T18:17:22.839Z",
"dateReserved": "2025-12-02T17:43:55.964Z",
"dateUpdated": "2026-03-17T15:29:47.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-13913\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-12T19:06:06.866760Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-12T19:06:39.250Z\"}}], \"cna\": {\"title\": \"Inductive Automation Ignition Software Deserialization of Untrusted Data\", \"source\": {\"advisory\": \"ICSA-26-071-06\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Inductive Automation\", \"product\": \"Ignition Software\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.3.0\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"8.3.0\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade Ignition software from 8.1.x to 8.3.0 or greater.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Upgrade Ignition software from 8.1.x to 8.3.0 or greater.\", \"base64\": false}]}], \"datePublic\": \"2026-03-12T15:00:00.000Z\", \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06\"}, {\"url\": \"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json\"}, {\"url\": \"https://inductiveautomation.com/resources/article/ignition-security-hardening-guide\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \\nAppendix A. \\nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \\nAppendix A. \\nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide\", \"base64\": false}]}, {\"lang\": \"en\", \"value\": \"MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\\n Appendix A.\\u00a0\\n\\n * Create a new dedicated local Windows account that will \\nbe used exclusively for the Ignition service (e.g. svc-ign).\\u00a0a. The best\\n security practice is that the Ignition service should not be a domain \\naccount (unless otherwise needed). b. Remove all group memberships from \\nthe service account (including Users and Administrators). c. Add to \\nsecurity policy to log in as a service. d. Add to \\\"Deny log on locally\\\" \\nsecurity policy.\\u00a0\\n * Provide full read/write access only to the Ignition \\ninstallation directory for the service account created in #1. a. Add \\nread/write permissions to other directories in the local filesystem as \\nneeded (e.g.: if configured to use optional Enterprise Administration \\nModule to write automated backups to the file system).\\u00a0\\n * Set deny \\naccess settings for service account on other directories not needed by \\nthe Ignition service. a. Specifically the C:\\\\Windows, C:\\\\Users, and \\ndirectories for any other applications in the Program Files or Program \\nFiles(x86) directories. b. Use java param to change temp directory to a \\nlocation within the Ignition install directory so the Users folder can \\nbe denied access to the Ignition service account.\\n * Restrict project imports to verified \\nand trusted sources only, ideally using checksums or digital \\nsignatures.\\n * Use multiple environments (e.g. Dev, Test, Prod) with a \\nstaging workflow so that new data is never introduced directly to\\u00a0 \\nproduction environments. See Ignition Deployment Best Practices.\\n * When \\nfeasible, segment or isolate Ignition gateways from corporate resources \\nand Windows Domains.a. The Ignition service account or AD server object \\nshould never need Windows Domain or Windows Active Directory privileges.\\n This would only be needed if an Asset Owners IT or OT department uses \\nthis for management outside Ignition.b. Ignition may be federated with \\nActive Directory environments (e.g. OT domains) by entering \\n\\\"Authentication Profile\\\" credentials within the Ignition gateway itself.\\n This could use secure LDAP, SAML, or OpenID Connect.\\n * When feasible, \\nenforce strong credential management and MFA for all users with Designer\\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \\nConfig Write permissions (8.3.x).\\n * When feasible, deploy Ignition \\nwithin hardened or containerized environments.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\\nMITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\\n Appendix A.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003col\u003e\u003cli\u003eCreate a new dedicated local Windows account that will \\nbe used exclusively for the Ignition service (e.g. svc-ign).\u0026nbsp;a. The best\\n security practice is that the Ignition service should not be a domain \\naccount (unless otherwise needed). b. Remove all group memberships from \\nthe service account (including Users and Administrators). c. Add to \\nsecurity policy to log in as a service. d. Add to \\\"Deny log on locally\\\" \\nsecurity policy.\u0026nbsp;\u003c/li\u003e\u003cli\u003eProvide full read/write access only to the Ignition \\ninstallation directory for the service account created in #1. a. Add \\nread/write permissions to other directories in the local filesystem as \\nneeded (e.g.: if configured to use optional Enterprise Administration \\nModule to write automated backups to the file system).\u0026nbsp;\u003c/li\u003e\u003cli\u003eSet deny \\naccess settings for service account on other directories not needed by \\nthe Ignition service. a. Specifically the C:\\\\Windows, C:\\\\Users, and \\ndirectories for any other applications in the Program Files or Program \\nFiles(x86) directories. b. Use java param to change temp directory to a \\nlocation within the Ignition install directory so the Users folder can \\nbe denied access to the Ignition service account.\u003c/li\u003e\u003cli\u003eRestrict project imports to verified \\nand trusted sources only, ideally using checksums or digital \\nsignatures.\u003c/li\u003e\u003cli\u003eUse multiple environments (e.g. Dev, Test, Prod) with a \\nstaging workflow so that new data is never introduced directly to\u0026nbsp; \\nproduction environments. See Ignition Deployment Best Practices.\u003c/li\u003e\u003cli\u003eWhen \\nfeasible, segment or isolate Ignition gateways from corporate resources \\nand Windows Domains.a. The Ignition service account or AD server object \\nshould never need Windows Domain or Windows Active Directory privileges.\\n This would only be needed if an Asset Owners IT or OT department uses \\nthis for management outside Ignition.b. Ignition may be federated with \\nActive Directory environments (e.g. OT domains) by entering \\n\\\"Authentication Profile\\\" credentials within the Ignition gateway itself.\\n This could use secure LDAP, SAML, or OpenID Connect.\u003c/li\u003e\u003cli\u003eWhen feasible, \\nenforce strong credential management and MFA for all users with Designer\\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \\nConfig Write permissions (8.3.x).\u003c/li\u003e\u003cli\u003eWhen feasible, deploy Ignition \\nwithin hardened or containerized environments.\\n\\n\\n\\n\u003cbr\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/div\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan\u003eA privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2026-03-17T15:29:47.962Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-13913\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-17T15:29:47.962Z\", \"dateReserved\": \"2025-12-02T17:43:55.964Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2026-03-12T18:17:22.839Z\", \"assignerShortName\": \"icscert\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…