PatchSiren cyber security CVE debrief
CVE-2025-13911 Inductive Automation CVE debrief
CVE-2025-13911 is a medium-severity vulnerability (CVSS 6.4) in Inductive Automation Ignition SCADA applications that use Python scripting. Published on December 18, 2025, the issue stems from insufficient security controls restricting Python library imports and execution within the scripting environment. The root cause is the Ignition service account possessing excessive system permissions beyond what privileged users actually require. An authenticated administrator can exploit this by uploading a malicious project file containing Python scripts with bind shell capabilities, which then execute with SYSTEM-level privileges on Windows (matching the Ignition Gateway process). Alternative code execution patterns may achieve similar results. The vulnerability requires high privileges and adjacent network access, with high attack complexity.
- Vendor
- Inductive Automation
- Product
- Ignition
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-18
- Original CVE updated
- 2025-12-18
- Advisory published
- 2025-12-18
- Advisory updated
- 2025-12-18
Who should care
Organizations operating Inductive Automation Ignition SCADA systems, particularly those with Python scripting enabled. Critical infrastructure operators, manufacturing facilities, and industrial environments using Ignition for process control should prioritize assessment. Security teams responsible for OT/ICS environments and those managing Windows-based SCADA deployments are most affected.
Technical summary
The vulnerability exists in Ignition's Python scripting environment where library import restrictions are absent. The Ignition Gateway process typically runs with SYSTEM privileges on Windows. An authenticated administrator can upload a crafted project file containing malicious Python scripts that establish bind shells or execute arbitrary code. These scripts inherit the Gateway process privileges, resulting in complete system compromise. The attack requires administrative authentication and project upload capabilities, with high complexity due to the need for crafted malicious content.
Defensive priority
medium
Recommended defensive actions
- Review and restrict Python library imports in Ignition scripting environments to only approved, necessary libraries
- Run the Ignition Gateway service under a dedicated service account with least-privilege permissions rather than SYSTEM
- Implement strict access controls on project file uploads, requiring multi-person review for administrative changes
- Audit existing Ignition projects for unauthorized Python scripts or suspicious library imports
- Monitor for anomalous process execution and network connections from the Ignition Gateway service
- Apply security updates from Inductive Automation's Trust Portal when available
- Segment Ignition systems from broader network access where possible
- Enable comprehensive logging of script execution within the Ignition environment
Evidence notes
Source: CISA CSAF advisory ICSA-25-352-01. CVSS 3.1 vector: AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. Vendor confirmed: Inductive Automation.
Official resources
-
CVE-2025-13911 CVE record
CVE.org
-
CVE-2025-13911 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-18