Samurai Digital Security would like to bring attention to the responsible disclosure of CVE-2025-13911, a high-impact vulnerability in Inductive Automation’s Ignition Gateway. Identified by our own Momen Eldawakhly, the vulnerability has been acknowledged by CISA (ICSA-25-352-01) and catalogued within the National Vulnerability Database (NVD).
This finding highlights a frequent and often overlooked misconfiguration in Operational Technology (OT) environments: service accounts with excessive privileges that quietly introduce risk during routine operations.
Summary of the Vulnerability
CVE-2025-13911 relates to a failure in enforcing the principle of least privilege. When an Ignition project or resource is imported by an authenticated user, embedded scripts may be executed using the same Windows service account context as the Ignition Gateway.
In many environments, this service account runs as LocalSystem, a highly privileged context on Windows hosts. This effectively elevates a user-initiated import to full system-level execution, depending on how the host is configured.
Why It Matters
Although this vulnerability requires authenticated access and is not exploitable from the internet directly, it presents a significant risk in OT and ICS settings where:
- Administrator credentials may be reused across systems or obtained through phishing
- Change control gates are bypassed in production environments due to time pressures
- Default Windows service configurations are retained post-deployment
The complexity of exploitation should not obscure the risk. In real-world environments, the combination of misconfiguration, time constraints, and overly permissive defaults can have serious consequences.
Technical Context
Ignition supports Python-based scripting as part of its automation framework. During project import, an attacker with the correct privileges could introduce a script designed to perform unauthorised OS-level actions. If the Ignition Gateway is running under a LocalSystem or otherwise privileged account, the impact may include:
- Arbitrary code execution with SYSTEM privileges
- Manipulation or deletion of files on the host OS
- Introduction of persistence mechanisms at the operating system level
The issue is categorised as CWE-250: Execution with Unnecessary Privileges, and the root cause lies not in the scripting engine, but in the intersection between application behaviour and host-level configuration.
Recommended Actions
Inductive Automation has published a technical advisory providing mitigation guidance. Samurai Security recommends the following practical steps for asset owners and IT teams managing Ignition deployments.
1. Review and Restrict Ignition Gateway Service Accounts
Avoid running the Ignition Gateway under LocalSystem or other broadly privileged accounts. Create a dedicated local Windows service account with only the permissions required to operate the platform. Ensure the following:
- No interactive logon rights
- No unnecessary group memberships
- No domain privileges unless strictly necessary
2. Constrain File System Access
Limit the Ignition service account to directories it requires for execution and storage. Explicitly deny access to system paths such as the Windows directory and user profiles. Audit temporary directories to ensure they do not expose unnecessary file system areas.
3. Treat Project Imports as Code Deployments
Imports should be treated as controlled deployments, not administrative shortcuts. Recommended best practices include:
- Validating imported resources using checksums or digital signatures
- Introducing staging environments to separate development, testing, and production workflows
- Restricting imports in live environments to verified administrators
4. Strengthen Governance of Privileged Accounts
Accounts with permissions to perform project imports or configure the Ignition Gateway should be subject to enhanced controls:
- Multi-factor authentication
- Regular password rotation
- Role-based access control aligned with least privilege
- Clear audit trails and logging for all configuration changes
5. Apply Broader ICS Security Controls
CISA’s recommendations remain relevant. Minimise external exposure, segregate OT and IT networks, and use secured remote access solutions with rigorous access validation. Regularly review firewall rules, VPN access, and administrative paths.
Strategic Implications for OT Security Teams
This vulnerability demonstrates how operational risk is shaped not only by software flaws but also by configuration practices and operational shortcuts. CVE-2025-13911 is significant because it reflects typical patterns we observe during OT security assessments, including:
- Service accounts retained from installation with full host access
- Informal deployment of scripts between test and production environments
- Lack of clarity around import-related privilege boundaries
Defenders must continue to model not only external threats but also the impact of internal misuse, human error, or configuration drift.
How Samurai Security Can Help
Organisations operating Inductive Automation Ignition, particularly within critical sectors such as healthcare, manufacturing, logistics, or finance, should assess their exposure.
Samurai Security provides targeted ICS and OT security services, including:
- Security assessments focused on Ignition Gateway configurations
- Service account and privilege reviews on Windows hosts
- Development of import validation and deployment workflows
- Design and implementation of role-based access controls and monitoring
- Technical advisory support to meet CISA, NIST, and ISO 27001 standards
Acknowledgement and Responsible Disclosure
We thank Inductive Automation for their professional handling of this disclosure process, and CISA for publishing the advisory. The coordinated response ensures that organisations have the information required to address the risk appropriately.
The vulnerability is now listed in the National Vulnerability Database (NVD) as CVE-2025-13911 and is tracked within the ICS advisory catalogue under ICSA-25-352-01.
Conclusion
Privilege boundaries remain a critical concern in OT environments. CVE-2025-13911 serves as a reminder that routine administrative operations, such as resource imports, can become high-impact security events when underlying configurations are not adequately reviewed.
For technical teams and security leaders, this is an opportunity to revisit assumptions about how systems operate in production. Apply the principle of least privilege rigorously and ensure that operational processes do not inadvertently expand the attack surface.
If your organisation requires support in reviewing Ignition deployments or assessing ICS risk exposure more broadly, contact Samurai Security to arrange a consultation.