OTPulse
FeedAboutContact

Inkscape in Industrial Products

Monitor7.8ICS-CERT ICSA-22-132-03May 12, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Inkscape versions prior to 1.0 contain multiple vulnerabilities (CWE-125, CWE-824, CWE-787) that allow unauthorized information disclosure and code execution when a user opens a malicious file. The vulnerabilities are not remotely exploitable and require local access and user interaction. Inkscape 1.0 or later resolves these issues. Ecava IntegraXor and other industrial products that embed or use Inkscape are affected.

What this means
What could happen
An attacker with local access to a workstation running Inkscape could read sensitive files or execute arbitrary commands, potentially compromising engineering data or the workstation itself if Inkscape is used in an industrial engineering or SCADA configuration role.
Who's at risk
Manufacturing facilities using Inkscape on engineering workstations, particularly those integrated with SCADA or industrial design systems like Ecava IntegraXor, should prioritize this update.
How it could be exploited
An attacker must have local access to the affected workstation and trick a user into opening a malicious file with Inkscape (e.g., a crafted SVG or related document). Once opened, the vulnerability allows information disclosure and code execution in the context of the logged-in user.
Prerequisites
  • Local access to the workstation running vulnerable Inkscape
  • User interaction required: victim must open a malicious file with Inkscape
  • Vulnerable Inkscape version (prior to 1.0)
Low complexityUser interaction requiredLocal access onlyAffects engineering workstations
Exploitability
Moderate exploit probability (EPSS 1.3%)
Affected products (1)
ProductAffected VersionsFix Status
:0.91No fix yet
Remediation & Mitigation
0/2
Do now
0/1
HARDENINGTrain users to avoid opening unsolicited files or clicking untrusted links, especially files from email
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Inkscape to version 1.0 or later on all engineering workstations and systems
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/cee349f2-f599-4862-92d1-df4067053a37
Inkscape in Industrial Products | CVSS 7.8 - OTPulse