{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13913", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-12-02T17:43:55.964Z", "datePublished": "2026-03-12T18:17:22.839Z", "dateUpdated": "2026-03-17T15:29:47.962Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-17T15:29:47.962Z"}, "title": "Inductive Automation Ignition Software Deserialization of Untrusted Data", "datePublic": "2026-03-12T15:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502", "type": "CWE"}]}], "affected": [{"vendor": "Inductive Automation", "product": "Ignition Software", "versions": [{"status": "affected", "version": "0", "lessThan": "8.3.0", "versionType": "custom"}, {"status": "unaffected", "version": "8.3.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span>A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.</span>"}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"}, {"url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"}}], "workarounds": [{"lang": "en", "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide", "supportingMedia": [{"type": "text/html", "base64": false, "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}]}, {"lang": "en", "value": "MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u00a0\n\n * Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u00a0a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u00a0\n * Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u00a0\n * Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\n * Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\n * Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u00a0 \nproduction environments. See Ignition Deployment Best Practices.\n * When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\n * When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\n * When feasible, deploy Ignition \nwithin hardened or containerized environments.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>\nMITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.&nbsp;</div><div><ol><li>Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).&nbsp;a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.&nbsp;</li><li>Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).&nbsp;</li><li>Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.</li><li>Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.</li><li>Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to&nbsp; \nproduction environments. See Ignition Deployment Best Practices.</li><li>When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.</li><li>When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).</li><li>When feasible, deploy Ignition \nwithin hardened or containerized environments.\n\n\n\n<br></li></ol></div>"}]}], "solutions": [{"lang": "en", "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater."}]}], "credits": [{"lang": "en", "value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation.", "type": "finder"}], "source": {"advisory": "ICSA-26-071-06", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:06:06.866760Z", "id": "CVE-2025-13913", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:06:53.296Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13913", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T19:06:06.866760Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:06:39.250Z"}}], "cna": {"title": "Inductive Automation Ignition Software Deserialization of Untrusted Data", "source": {"advisory": "ICSA-26-071-06", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.4, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Inductive Automation", "product": "Ignition Software", "versions": [{"status": "affected", "version": "0", "lessThan": "8.3.0", "versionType": "custom"}, {"status": "unaffected", "version": "8.3.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater.", "supportingMedia": [{"type": "text/html", "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater.", "base64": false}]}], "datePublic": "2026-03-12T15:00:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"}, {"url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}], "workarounds": [{"lang": "en", "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide", "supportingMedia": [{"type": "text/html", "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide", "base64": false}]}, {"lang": "en", "value": "MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u00a0\n\n * Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u00a0a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u00a0\n * Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u00a0\n * Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\n * Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\n * Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u00a0 \nproduction environments. See Ignition Deployment Best Practices.\n * When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\n * When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\n * When feasible, deploy Ignition \nwithin hardened or containerized environments.", "supportingMedia": [{"type": "text/html", "value": "<div>\nMITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.&nbsp;</div><div><ol><li>Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).&nbsp;a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.&nbsp;</li><li>Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).&nbsp;</li><li>Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.</li><li>Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.</li><li>Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to&nbsp; \nproduction environments. See Ignition Deployment Best Practices.</li><li>When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.</li><li>When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).</li><li>When feasible, deploy Ignition \nwithin hardened or containerized environments.\n\n\n\n<br></li></ol></div>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.", "supportingMedia": [{"type": "text/html", "value": "<span>A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-17T15:29:47.962Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13913", "state": "PUBLISHED", "dateUpdated": "2026-03-17T15:29:47.962Z", "dateReserved": "2025-12-02T17:43:55.964Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-03-12T18:17:22.839Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code."}, {"lang": "es", "value": "El Software Ignition de Inductive Automation es vulnerable a una exposici\u00f3n de endpoint de API no autenticado que puede permitir a un atacante cambiar remotamente la direcci\u00f3n de correo electr\u00f3nico de recuperaci\u00f3n de 'olvid\u00e9 mi contrase\u00f1a'."}], "id": "CVE-2025-13913", "lastModified": "2026-03-17T16:16:17.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-03-12T19:16:14.250", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}

{}