CVE-2023-50232: 
Inductive Automation Ignition vulnerability analysis and mitigation

CVE-2023-50232 is a remote code execution vulnerability affecting Inductive Automation Ignition software. The vulnerability was discovered by Piotr Bazydlo of Trend Micro Zero Day Initiative and was publicly disclosed on February 21, 2024. The vulnerability has a CVSS score of 8.8 (High) with the vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

The vulnerability exists within the getParams method of Inductive Automation Ignition. The specific flaw stems from the lack of proper validation of user-supplied strings before they are used to prepare arguments for system calls. This vulnerability requires user interaction, specifically that the target must connect to a malicious server (ZDI Advisory).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. The code execution occurs in the context of the current user (ZDI Advisory).

Inductive Automation has released an update to address this vulnerability. Users are advised to update their installations to the latest version (ZDI Advisory, Inductive Security).