OTPulse
FeedAboutContact

Inductive Automation Ignition

Monitor7.6ICS-CERT ICSA-22-207-01Jul 26, 2022
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

Inductive Automation Ignition contains an XML external entity (XXE) injection vulnerability (CWE-611) that allows an authenticated attacker with administrative privileges to read arbitrary files from the Ignition server. Successful exploitation permits disclosure of file contents, including potentially sensitive configuration, database credentials, or other system files. The vulnerability affects Ignition versions before 8.1.9 and before 7.9.21.

What this means
What could happen
An attacker with administrative credentials could read arbitrary files from the Ignition server, potentially exposing sensitive configuration data, process parameters, or system files that could aid further attacks.
Who's at risk
Organizations running Inductive Automation Ignition as a supervisory control or data acquisition platform should prioritize this. Ignition is commonly used in water treatment, wastewater, power generation, and discrete manufacturing for real-time monitoring and control dashboards. Anyone relying on Ignition to manage process data or PLC configuration is affected.
How it could be exploited
An attacker with high-privilege access to Ignition (administrative role) can exploit an XML external entity (XXE) injection vulnerability to request arbitrary files from the server filesystem. The attacker sends a specially crafted request that causes Ignition to parse malicious XML and return the contents of sensitive files back to the attacker.
Prerequisites
  • Administrative or high-privilege user account credentials for Ignition
  • Network access to the Ignition server (typically port 8088 for HTTP or 8043 for HTTPS)
  • Ability to create or modify content that is parsed as XML by Ignition
Requires administrative credentials (high privilege barrier)XXE vulnerability allows file disclosureLow EPSS score indicates exploitation is unlikely in the wildNot currently actively exploitedAffects configuration management and data confidentiality
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
Ignition: All 7.9≥ 7.9 | < 7.9.21No fix yet
Ignition: All≥ 8.1 | < 8.1.8No fix yet
Remediation & Mitigation
0/6
Do now
0/2
HARDENINGRestrict network access to Ignition servers: place behind firewalls and do not expose to the Internet
HARDENINGEnforce strong credential policies and limit administrative accounts to authorized personnel only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Ignition to version 8.1.9 or later
HOTFIXUpgrade Ignition to version 7.9.21 or later (for 7.9 installations)
Long-term hardening
0/2
HARDENINGIsolate Ignition servers from business networks using network segmentation
HARDENINGIf remote access to Ignition is required, use a VPN with current security patches
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7cdc2600-760d-4d33-affd-a50d2bd211bb
Inductive Automation Ignition | CVSS 7.6 - OTPulse