CVE-2022-35872: 
Inductive Automation Ignition vulnerability analysis and mitigation

CVE-2022-35872 is a vulnerability discovered in Inductive Automation Ignition 8.1.15 that allows remote attackers to execute arbitrary code. The vulnerability was discovered during the Pwn2Own 2022 competition by researcher Piotr Bazydło. The issue specifically involves the insecure deserialization of project resources during project imports, requiring user interaction where the target must visit a malicious page or open a malicious file (ZDI Advisory, Vendor Advisory).

The vulnerability stems from a weakness in the deserialization of specific project resources within ZIP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

When successfully exploited, an attacker can leverage this vulnerability to execute code in the context of SYSTEM. However, the attack requires user interaction and authentication with Config Page or Designer privileges, which somewhat limits its potential impact (Vendor Advisory).

Inductive Automation has issued updates to address this vulnerability. The vendor plans to implement stronger warnings before users import projects and is researching additional mechanisms to safeguard privileged users from importing potentially malicious scripts. Users are advised to exercise due diligence when importing external content (Vendor Advisory).

The vulnerability was discovered during the Pwn2Own Miami 2022 competition at the S4x22 conference, where Ignition was registered in the Control Server category. The discovery was part of a larger competition that resulted in 32 entries registered by 11 contestants (Vendor Advisory).