Inductive Automation Ignition OPC UA Quick Client Task Scheduling Exposed Dangerous Function Remote Code Execution Vulnerability
CVE-2023-38124

8.8HIGH

Key Information:

Vendor: Inductive Automation
Status: Ignition
Vendor: CVE Published:; 3 May 2024

🔔 Create Inductive Automation Vulnerability Alert

What is CVE-2023-38124?

A significant vulnerability has been identified in Inductive Automation's Ignition platform, specifically within the Ignition Gateway server. This flaw involves the exposure of a dangerous function that enables remote attackers to execute arbitrary code on affected installations. Authentication is needed to exploit this vulnerability, which poses a risk as it allows execution of code with SYSTEM-level privileges. As a result, timely updates and security measures are crucial for protecting installations against potential exploitations.

Affected Version(s)

Ignition 8.1.24

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1015/

x_research-advisory

https://inductiveautomation.com/blog/inductive-automation...

vendor-advisory

EPSS Score

53% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Jul 12, 2023

JSON