CVE-2022-35890: 
Inductive Automation Ignition vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-35890) was discovered in Inductive Automation Ignition before versions 7.9.20 and 8.x before 8.1.17. The vulnerability involves a weakness in how Designer and Vision Client Session IDs were generated, allowing attackers to determine which session IDs were generated in the past and hijack sessions assigned to these IDs (Vendor Advisory, NVD).

The vulnerability stems from a weakness in the session ID generation mechanism for Designer and Vision Client sessions. Attackers could exploit this weakness to predict and determine previously generated session IDs, enabling them to hijack active sessions. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

Successful exploitation of this vulnerability allows attackers to hijack authenticated sessions, potentially leading to unauthorized access with the privileges of the hijacked user. When combined with CVE-2022-36126 (ScriptInvoke RCE), attackers could achieve remote code execution on the target system (Vendor Advisory).

The vulnerability has been patched in Ignition versions 7.9.20 and 8.1.17. Organizations are strongly recommended to upgrade to these versions or later to protect against this vulnerability. The fix addresses the root cause of the vulnerability by improving the session ID generation mechanism (Vendor Advisory).