The vulnerability is exploitable by connecting a specific URL address. The successful connection to this URL results in a prompt to download files containing important details about system and project information, including authorized usernames and password hashes.
Inductive Automation has fixed the vulnerability and has issued a patch to address it. ICS-CERT has validated that this patch fully resolves this vulnerability.
Affected versions involved all Ignition versions prior to version 22.214.171.124.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture and product implementation.To apply the patch, upgrade to any Ignition version higher than 126.96.36.199. The latest version of the 7.2 line is 7.2.11, which can be downloaded at http://www.inductiveautomation.com/downloads/ignition/archive.