Trust Center
Welcome to the Inductive Automation Trust Portal
Thousands of companies worldwide depend on Ignition
- See Founder’s Message and Company Leadership
- Customers, Case Studies, Projects, Discover Gallery
- SDLC guide. (Duo/CrowdStrike) case studies
- ** Subscribe to Trust Center Updates ** (below)
- Vuls/contact: security@inductiveautomation.com (PGP)
CVE-2025-13911 (Ignition Windows Default)
If you noticed Ignition CVE-2025-13911, you're probably wondering what this means for you.
The default Ignition installation on Windows grants greater operating system permissions than is needed in most cases. An Ignition administrator importing malicious project resources could lead to a system level compromise or other significant effects.
This Tech Advisory contains more information. Steps #1-#3 correct the issue. The Ignition Security Hardening Guide has been updated with “Appendix A - Restrict the Ignition Service Security” with additional recommendations.
Feel free to reach out to Inductive Automation if you have any additional questions.
CVE-2025-13913 (Ignition file import)
Ignition software versions prior to 8.3.0 are affected by CVE‑2025‑13913. A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code. This issue was responsibly reported by security researchers at Meta. No exploits are known to exist in the wild.
Following the guidance in Appendix A – Restrict the Ignition Service Security of the Ignition Security Hardening Guide is considered best practice and reduces the risk of exploitation by limiting the privileges available to the Ignition service.
Clarification: Early public descriptions of CVE‑2025‑13913 incorrectly stated that “Inductive Automation Ignition Software is vulnerable to an unauthenticated API endpoint exposure that may allow an attacker to remotely change the ‘forgot password’ recovery email address.” This was inaccurate and has since been corrected.
Questions, concerns, or reporting exploitation instances may be directed to security@inductiveautomation.com.
OpenSSL CVE‑2025‑15467 (Ignition NOT affected)
Ignition software is not affected by CVE‑2025‑15467, an OpenSSL vulnerability. While Ignition 8.3.3 and 8.1.52 include OpenSSL related dependencies within the Siemens Enhanced Driver and IEC 61850 Driver modules, these modules do not use OpenSSL in a manner that is exposed to the vulnerability.
As a general security best practice, Inductive Automation recommends uninstalling Ignition software modules that are not in use.
Customers should continue to follow the guidance in the Ignition Security Hardening Guide, including maintaining network segmentation between users and PLCs or OT devices accessed through Ignition drivers.
Questions or concerns may be directed to security@inductiveautomation.com.
CVE‑2025‑55182 (critical React server components vulnerability)
Inductive Automation has verified that CVE‑2025‑55182 (critical React server components vulnerability) does not impact Ignition software, including transitive dependencies. All versions of Ignition and supporting infrastructure are confirmed to be secure.
Shai-Hulud Malware Update (No Threat)
Inductive Automation is not affected by Shai-Hulud related malware activity. Our Software Development Lifecycle includes thorough vetting processes including pinning dependencies. A security team and automated tools are actively monitoring potential impact to Ignition and the software repository.
This attack does not target end users directly. Customers are advised to adhere to the Ignition Security Hardening Guide for best practices. Contact security@inductiveautomation.com with specific questions or concerns.