CVE-2022-35873 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2022-35873?

CVE-2022-35873 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Inductive Automation Ignition installations by tricking users into opening malicious ZIP files. The flaw in ZIP file processing enables execution of arbitrary Python scripts with SYSTEM privileges. All users of affected Ignition versions are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Inductive Automation Ignition installations by tricking users into opening malicious ZIP files. The flaw in ZIP file processing enables execution of arbitrary Python scripts with SYSTEM privileges. All users of affected Ignition versions are at risk.

💻 Affected Systems

Products:

Inductive Automation Ignition

Versions: 8.1.15 (b2022030114) and potentially earlier versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user interaction - victim must open malicious ZIP file or visit malicious page. SYSTEM context execution makes this particularly dangerous.

📦 What is this software?

Ignition by Inductiveautomation

View all CVEs affecting Ignition →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install malware, steal data, pivot to other systems, or disrupt industrial operations.

🟠

Likely Case

Attacker gains initial foothold on the system, then escalates privileges and deploys ransomware or establishes persistence for further attacks.

🟢

If Mitigated

Limited impact due to network segmentation, application whitelisting, and user awareness preventing malicious ZIP file execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploited at Pwn2Own 2022 (ZDI-CAN-16949). Requires social engineering to deliver malicious ZIP file but technical exploitation is straightforward once file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.1.16 or later

Vendor Advisory: https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities

Restart Required: Yes

Instructions:

1. Download Ignition 8.1.16 or later from Inductive Automation portal. 2. Backup current installation. 3. Run installer to upgrade. 4. Restart Ignition services. 5. Verify version in About dialog.

🔧 Temporary Workarounds

Restrict ZIP file processing

all

Block or restrict processing of ZIP files through Ignition's file handling mechanisms

User awareness training

all

Train users to never open ZIP files from untrusted sources in Ignition

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized Python scripts
Network segmentation to isolate Ignition systems from critical infrastructure

🔍 How to Verify

Check if Vulnerable:

Check Ignition version in About dialog - if version is 8.1.15 (b2022030114) or earlier, system is vulnerable.

Check Version:

Check Ignition Gateway Web UI -> About dialog or examine installation directory version files

Verify Fix Applied:

Verify version is 8.1.16 or later in About dialog and test ZIP file processing functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual Python script execution events
ZIP file processing errors
Unexpected SYSTEM privilege processes spawned from Ignition

Network Indicators:

Outbound connections from Ignition to unknown IPs
Unusual data exfiltration patterns

SIEM Query:

Process creation where parent_process contains 'ignition' AND (process contains 'python' OR process contains 'cmd' OR process contains 'powershell')

📊 Metadata

CVE ID: CVE-2022-35873

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-356

Published: July 25, 2022

Last Updated: November 21, 2024

🔗 References

https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1020/ Third Party Advisory,VDB Entry
https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1020/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-35873, you might also want to check these: