CVE-2023-39473 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2023-39473?

CVE-2023-39473 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated remote attackers to execute arbitrary code on Inductive Automation Ignition systems by exploiting insecure deserialization in the AbstractGatewayFunction class. Attackers can gain SYSTEM-level privileges, enabling complete system compromise. Organizations using vulnerable Ignition installations are affected.

📋 TL;DR

This vulnerability allows authenticated remote attackers to execute arbitrary code on Inductive Automation Ignition systems by exploiting insecure deserialization in the AbstractGatewayFunction class. Attackers can gain SYSTEM-level privileges, enabling complete system compromise. Organizations using vulnerable Ignition installations are affected.

💻 Affected Systems

Products:

Inductive Automation Ignition

Versions: Specific versions not detailed in provided references, but ZDI-23-1045 advisory indicates affected installations

Operating Systems: Windows (SYSTEM context mentioned)

Default Config Vulnerable: ⚠️ Yes

Notes: Authentication is required to exploit, but default configurations may be vulnerable if authentication is enabled.

📦 What is this software?

Ignition by Inductiveautomation

View all CVEs affecting Ignition →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with SYSTEM privileges, allowing data theft, ransomware deployment, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Attacker gains full control over the Ignition server, potentially compromising industrial control systems and operational technology networks.

🟢

If Mitigated

Limited impact with proper network segmentation, authentication controls, and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authentication but deserialization vulnerabilities are commonly weaponized. ZDI-CAN-17587 indicates coordinated disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Inductive Automation security advisory for specific patched versions

Vendor Advisory: https://inductiveautomation.com/security-advisory

Restart Required: Yes

Instructions:

1. Check current Ignition version
2. Download latest patched version from Inductive Automation
3. Backup configuration and data
4. Apply update following vendor instructions
5. Restart Ignition services

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Ignition servers from untrusted networks and limit access to authorized users only

Authentication Hardening

all

Implement strong authentication policies, multi-factor authentication, and least privilege access

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Monitor for suspicious deserialization attempts and authentication anomalies

🔍 How to Verify

Check if Vulnerable:

Check Ignition version against vendor advisory. Monitor for deserialization attempts in logs.

Check Version:

Check Ignition web interface or installation directory for version information

Verify Fix Applied:

Confirm installation of patched version and test that deserialization payloads are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual deserialization attempts
Authentication from unexpected sources
Abnormal process creation with SYSTEM privileges

Network Indicators:

Suspicious traffic to Ignition gateway endpoints
Unexpected outbound connections from Ignition server

SIEM Query:

source="ignition" AND (event_type="deserialization" OR process_name="cmd.exe" OR parent_process="java.exe")

📊 Metadata

CVE ID: CVE-2023-39473

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: May 3, 2024

Last Updated: March 13, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-1045/ Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1045/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39473, you might also want to check these: