CVE-2023-50223 – This vulnerability in Inductive Automation Igni... (How to Fix)

Q: What is the severity of CVE-2023-50223?

CVE-2023-50223 has a CVSS score of 8.8 (HIGH). This vulnerability in Inductive Automation Ignition allows authenticated remote attackers to execute arbitrary code with SYSTEM privileges by exploiting insecure deserialization in the ExtendedDocumentCodec class. It affects Ignition installations where attackers can reach the vulnerable component with valid credentials. The vulnerability enables complete system compromise.

📋 TL;DR

This vulnerability in Inductive Automation Ignition allows authenticated remote attackers to execute arbitrary code with SYSTEM privileges by exploiting insecure deserialization in the ExtendedDocumentCodec class. It affects Ignition installations where attackers can reach the vulnerable component with valid credentials. The vulnerability enables complete system compromise.

💻 Affected Systems

Products:

Inductive Automation Ignition

Versions: Versions prior to 8.1.34 and 9.0.10

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations with the vulnerable versions are affected. Authentication is required but often present in Ignition deployments.

📦 What is this software?

Ignition by Inductiveautomation

View all CVEs affecting Ignition →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM-level remote code execution leading to complete system compromise, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Authenticated attackers gaining SYSTEM privileges to execute arbitrary commands, potentially installing malware, stealing sensitive data, or disrupting industrial operations.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring, though the vulnerability still exists.

🌐 Internet-Facing: HIGH if Ignition is exposed to the internet with authentication enabled, as authenticated attackers can achieve RCE.

🏢 Internal Only: HIGH for internal networks where attackers have obtained or can guess valid credentials, allowing lateral movement and privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authentication but leverages well-known deserialization patterns. ZDI has published details, increasing likelihood of weaponization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Ignition 8.1.34 and 9.0.10

Vendor Advisory: https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b

Restart Required: Yes

Instructions:

1. Download Ignition 8.1.34 or 9.0.10 from the Inductive Automation website. 2. Backup your Ignition configuration. 3. Run the installer to upgrade. 4. Restart the Ignition service. 5. Verify the version in the Ignition Gateway.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Ignition servers to only trusted networks and users.

Strong Authentication Controls

all

Implement multi-factor authentication, strong password policies, and account lockouts to reduce credential theft risk.

🧯 If You Can't Patch

Implement strict network access controls to limit which users can reach Ignition servers.
Monitor for suspicious authentication attempts and deserialization-related log entries.

🔍 How to Verify

Check if Vulnerable:

Check Ignition version in the Gateway webpage or via the Gateway status page. Versions below 8.1.34 or 9.0.10 are vulnerable.

Check Version:

Check the Gateway webpage or look at the Ignition logs for version information.

Verify Fix Applied:

Confirm the Ignition version is 8.1.34 or higher for version 8, or 9.0.10 or higher for version 9, after patching.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts followed by deserialization errors or unexpected process execution in Ignition logs.

Network Indicators:

Suspicious HTTP requests to Ignition endpoints with serialized data payloads.

SIEM Query:

source="ignition.log" AND ("deserialization" OR "ExtendedDocumentCodec") AND severity=ERROR

📊 Metadata

CVE ID: CVE-2023-50223

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: May 3, 2024

Last Updated: March 12, 2025

🔗 References

https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-018/ Third Party Advisory
https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-018/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50223, you might also want to check these: