CVE-2025-13911Execution with Unnecessary Privileges in Automation Ignition

CWE-250Execution with Unnecessary Privileges4 documents4 sources
Severity
7.3HIGHNVD
EPSS
0.0%
top 93.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Inductive Automation Ignition
Timeline
PublishedDec 18

Description

The vulnerability affects Ignition SCADA applications where Python scripting is utilized for automation purposes. The vulnerability arises from the absence of proper security controls that restrict which Python libraries can be imported and executed within the scripting environment. The core issue lies in the Ignition service account having system permissions beyond what an Ignition privileged user requires. When an authenticated administrator uploads a malicious project file containing Python s

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5inductive_automation/ignition8.1.x, 8.3.x+1

🔴Vulnerability Details

2
CVEList
Inductive Automation Ignition Execution with Unnecessary Privileges2025-12-18
GHSA
GHSA-wmxh-4mgr-2w85: The vulnerability affects Ignition SCADA applications where Python scripting is utilized for automation purposes2025-12-18
CVE-2025-13911 — Execution with Unnecessary Privileges | cvebase