CVE-2023-39475 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2023-39475?

CVE-2023-39475 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute arbitrary code with SYSTEM privileges on Inductive Automation Ignition installations. The flaw exists in the ParameterVersionJavaSerializationCodec class which deserializes untrusted data without proper validation. All organizations running vulnerable versions of Ignition are affected.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with SYSTEM privileges on Inductive Automation Ignition installations. The flaw exists in the ParameterVersionJavaSerializationCodec class which deserializes untrusted data without proper validation. All organizations running vulnerable versions of Ignition are affected.

💻 Affected Systems

Products:

Inductive Automation Ignition

Versions: Specific versions not detailed in provided references, but ZDI-23-1047 advisory indicates affected versions exist.

Operating Systems: Windows (SYSTEM context mentioned), Likely all platforms running Ignition

Default Config Vulnerable: ⚠️ Yes

Notes: Authentication is not required to exploit. Systems with Ignition exposed to network are vulnerable.

📦 What is this software?

Ignition by Inductiveautomation

View all CVEs affecting Ignition →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install malware, steal data, pivot to other systems, or disrupt industrial operations.

🟠

Likely Case

Remote code execution leading to ransomware deployment, data exfiltration, or creation of persistent backdoors in industrial control environments.

🟢

If Mitigated

Limited impact if systems are isolated, patched, or have network controls preventing external access.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation with CVSS 9.8 score makes internet-facing systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, unauthenticated exploitation allows lateral movement and significant damage.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI-CAN-20290 identifier suggests proof-of-concept exists in controlled environments. Unauthenticated nature and SYSTEM privileges make weaponization highly likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Inductive Automation security advisory for specific patched versions

Vendor Advisory: https://inductiveautomation.com/security-advisory

Restart Required: Yes

Instructions:

1. Check current Ignition version. 2. Visit Inductive Automation security advisory. 3. Download and apply latest security patch. 4. Restart Ignition services. 5. Verify patch installation.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Ignition systems from untrusted networks and internet

Firewall Rules

windows

Restrict access to Ignition ports to only trusted IP addresses

# Example for Windows Firewall
netsh advfirewall firewall add rule name="Block Ignition External" dir=in action=block protocol=TCP localport=8088,8043 remoteip=any

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access
Monitor for exploitation attempts and have incident response plan ready

🔍 How to Verify

Check if Vulnerable:

Check Ignition version against vendor's security advisory for affected versions

Check Version:

Check Ignition Gateway Web Interface -> About section or examine installation directory version files

Verify Fix Applied:

Verify installed version matches or exceeds patched version from vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unusual Java deserialization errors
Unexpected process creation from Ignition services
Network connections from Ignition to suspicious external IPs

Network Indicators:

Exploit traffic to Ignition ports (typically 8088, 8043)
Unusual outbound connections from Ignition systems

SIEM Query:

source="ignition" AND (event_type="deserialization" OR process_name="cmd.exe" OR process_name="powershell.exe")

📊 Metadata

CVE ID: CVE-2023-39475

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: May 3, 2024

Last Updated: March 13, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-1047/ Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1047/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39475, you might also want to check these: