Inductive Automation Ignition 8

Plan Patch7.5ICS-CERT ICSA-20-212-01Jul 30, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A missing access control vulnerability in Inductive Automation Ignition 8 (all versions before 8.0.13) allows an unauthenticated attacker with network access to read sensitive information such as configuration, process setpoints, and credentials. The vulnerability is due to improper enforcement of access controls (CWE-862). Inductive Automation has released a fix in version 8.0.13.

What this means

What could happen

An attacker with network access to Ignition could read sensitive information such as configuration data, credentials, or process parameters without authentication, potentially exposing details needed to compromise production operations or other systems.

Who's at risk

Manufacturing and process automation operators using Inductive Automation Ignition 8 for supervisory control, data acquisition, and visualization. This includes facilities in chemical processing, water treatment, power generation, and discrete manufacturing where Ignition serves as the primary SCADA/HMI platform.

How it could be exploited

An attacker on the same network as Ignition (or the Internet if exposed) sends a crafted request to the Ignition service without credentials. The vulnerability in Ignition versions before 8.0.13 fails to properly enforce access controls (CWE-862), allowing the attacker to read sensitive data directly from the application.

Prerequisites

Network access to Ignition 8 (versions before 8.0.13)
No authentication required

Remotely exploitableNo authentication requiredLow complexity to exploitAffects sensitive operational dataPatch requires maintenance window

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Ignition 8: All< 8.0.138.0.13

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to Ignition from only authorized workstations and engineering networks using firewall rules

HARDENINGDo not expose Ignition directly to the Internet; locate it behind a firewall and use VPN for remote access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Ignition to version 8.0.13 or later

Long-term hardening

0/1

HARDENINGIsolate Ignition and its network segment from the business network using network segmentation

CVEs (1)

CVE-2020-14520

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0d67da83-3b92-4c48-b7a7-720524259f72