Locate control system networks and remote devices behind firewalls, and isolate them from the business network.Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Inductive Automation recommends users upgrade the Ignition software to v8.0.13ĬISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Mashav Sapir of Claroty reported this vulnerability to CISA.
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Information Technology.A CVSS v3 base score of 7.5 has been calculated the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). No authentication is required to perform this exploit.ĬVE-2020-14520 has been assigned to this vulnerability. An HTTP request to the unprotected API could be used to determine whether an arbitrary file path exists on the filesystem. The affected product is vulnerable to an information leak, which may allow an attacker to obtain sensitive information. Inductive Automation Ignition 8: All versions prior to 8.0.13ģ.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHORIZATION CWE-862.The following versions of Inductive Automation Ignition are affected: Successful exploitation of this vulnerability could allow an attacker to gain access to sensitive information. ATTENTION: Exploitable remotely/low skill level to exploit.