CVE-2022-35873

Name of the Vulnerable Software and Affected Versions Inductive Automation Ignition version 8.1.15 (b2022030114)

Description This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the target must visit a malicious page or open a malicious file. The flaw exists within the processing of ZIP files, where crafted data can cause the application to execute arbitrary Python scripts. The user interface fails to provide sufficient indication of the hazard, and an attacker can leverage this to execute code in the context of SYSTEM.

Recommendations For Inductive Automation Ignition version 8.1.15 (b2022030114), consider disabling the processing of ZIP files until a patch is available to prevent the execution of arbitrary Python scripts. Restrict access to the user interface to minimize the risk of exploitation. Avoid using crafted ZIP files in the affected application until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.