CVE-2023-50222: 
Inductive Automation Ignition vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2023-50222) was identified in Inductive Automation Ignition. The vulnerability was discovered by Piotr Bazydlo of Trend Micro Zero Day Initiative and publicly disclosed on January 5, 2024. This issue affects installations of Inductive Automation Ignition and has been assigned a CVSS score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (ZDI Advisory).

The vulnerability exists within the ResponseParser method of Inductive Automation Ignition. The specific flaw results from the lack of proper validation of user-supplied data, which can lead to deserialization of untrusted data. The high CVSS score of 8.8 indicates the critical nature of this vulnerability (ZDI Advisory).

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. An attacker can leverage this vulnerability to execute code in the context of the current user. The attack requires user interaction, specifically that the target must connect to a malicious server (ZDI Advisory).

Inductive Automation has released an update to address this vulnerability. Users are recommended to apply the security update to protect their systems. The vulnerability was reported to the vendor on August 29, 2023, and a coordinated public release of the advisory was made on January 5, 2024 (ZDI Advisory, Inductive Security).