CVE-2022-35873: 
Inductive Automation Ignition vulnerability analysis and mitigation

CVE-2022-35873 is a vulnerability in Inductive Automation Ignition 8.1.15 (b2022030114) that allows remote attackers to execute arbitrary code. The vulnerability was discovered during the Pwn2Own 2022 competition at the S4x22 conference and was identified as ZDI-CAN-16949. The flaw exists within the processing of ZIP files, specifically in the Exchange Package Import functionality, where user interaction is required as the target must visit a malicious page or open a malicious file (ZDI Advisory, Vendor Advisory).

The vulnerability has a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The specific flaw exists within the processing of ZIP files, where crafted data in a ZIP file can cause the application to execute arbitrary Python scripts. The user interface fails to provide sufficient indication of the hazard when processing potentially dangerous files (ZDI Advisory).

When successfully exploited, an attacker can leverage this vulnerability to execute code in the context of SYSTEM. The vulnerability requires authentication of a user with config page privileges, which somewhat limits its potential impact. However, once exploited, it allows for arbitrary code execution on the affected system (ZDI Advisory, Vendor Advisory).

Inductive Automation has acknowledged the vulnerability and plans to add additional warnings before users import external packages in a future release. The warning will make it clear that imported resources may contain arbitrary scripts which will be executed during and/or after the import process. Users are advised to trust only the origin and author of exchange packages and perform due diligence in inspecting package contents prior to import (Vendor Advisory).