{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13913", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-12-02T17:43:55.964Z", "datePublished": "2026-03-12T18:17:22.839Z", "dateUpdated": "2026-03-12T19:06:53.296Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-12T18:17:22.839Z"}, "title": "Inductive Automation Ignition Software Deserialization of Untrusted Data", "datePublic": "2026-03-12T15:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502", "type": "CWE"}]}], "affected": [{"vendor": "Inductive Automation", "product": "Ignition Software", "versions": [{"status": "affected", "version": "0", "lessThan": "8.3.0", "versionType": "custom"}, {"status": "unaffected", "version": "8.3.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Inductive Automation Ignition Software\u00a0is vulnerable to an unauthenticated API endpoint exposure that may allow an attacker to remotely change the \"forgot password\" recovery email address.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Inductive Automation Ignition Software&nbsp;is vulnerable to an unauthenticated API endpoint exposure that may allow an attacker to remotely change the \"forgot password\" recovery email address."}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"}, {"url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"}}], "workarounds": [{"lang": "en", "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide", "supportingMedia": [{"type": "text/html", "base64": false, "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}]}, {"lang": "en", "value": "MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u00a0\n\n * Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u00a0a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u00a0\n * Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u00a0\n * Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\n * Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\n * Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u00a0 \nproduction environments. See Ignition Deployment Best Practices.\n * When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\n * When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\n * When feasible, deploy Ignition \nwithin hardened or containerized environments.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>\nMITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.&nbsp;</div><div><ol><li>Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).&nbsp;a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.&nbsp;</li><li>Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).&nbsp;</li><li>Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.</li><li>Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.</li><li>Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to&nbsp; \nproduction environments. See Ignition Deployment Best Practices.</li><li>When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.</li><li>When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).</li><li>When feasible, deploy Ignition \nwithin hardened or containerized environments.\n\n\n\n<br></li></ol></div>"}]}], "solutions": [{"lang": "en", "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater."}]}], "credits": [{"lang": "en", "value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation.", "type": "finder"}], "source": {"advisory": "ICSA-26-071-06", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:06:06.866760Z", "id": "CVE-2025-13913", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:06:53.296Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13913", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T19:06:06.866760Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:06:39.250Z"}}], "cna": {"title": "Inductive Automation Ignition Software Deserialization of Untrusted Data", "source": {"advisory": "ICSA-26-071-06", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.4, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Inductive Automation", "product": "Ignition Software", "versions": [{"status": "affected", "version": "0", "lessThan": "8.3.0", "versionType": "custom"}, {"status": "unaffected", "version": "8.3.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater.", "supportingMedia": [{"type": "text/html", "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater.", "base64": false}]}], "datePublic": "2026-03-12T15:00:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"}, {"url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}], "workarounds": [{"lang": "en", "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide", "supportingMedia": [{"type": "text/html", "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide", "base64": false}]}, {"lang": "en", "value": "MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u00a0\n\n * Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u00a0a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u00a0\n * Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u00a0\n * Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\n * Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\n * Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u00a0 \nproduction environments. See Ignition Deployment Best Practices.\n * When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\n * When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\n * When feasible, deploy Ignition \nwithin hardened or containerized environments.", "supportingMedia": [{"type": "text/html", "value": "<div>\nMITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.&nbsp;</div><div><ol><li>Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).&nbsp;a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.&nbsp;</li><li>Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).&nbsp;</li><li>Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.</li><li>Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.</li><li>Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to&nbsp; \nproduction environments. See Ignition Deployment Best Practices.</li><li>When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.</li><li>When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).</li><li>When feasible, deploy Ignition \nwithin hardened or containerized environments.\n\n\n\n<br></li></ol></div>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Inductive Automation Ignition Software\u00a0is vulnerable to an unauthenticated API endpoint exposure that may allow an attacker to remotely change the \"forgot password\" recovery email address.", "supportingMedia": [{"type": "text/html", "value": "Inductive Automation Ignition Software&nbsp;is vulnerable to an unauthenticated API endpoint exposure that may allow an attacker to remotely change the \"forgot password\" recovery email address.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-12T18:17:22.839Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13913", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:06:53.296Z", "dateReserved": "2025-12-02T17:43:55.964Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-03-12T18:17:22.839Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Inductive Automation Ignition Software\u00a0is vulnerable to an unauthenticated API endpoint exposure that may allow an attacker to remotely change the \"forgot password\" recovery email address."}], "id": "CVE-2025-13913", "lastModified": "2026-03-12T21:07:53.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-03-12T19:16:14.250", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{}