OPC UA Deep Dive Series (Part 8): Gaining Client-Side Remote Code Execution

Team82’s report describes discovery and exploitation of multiple vulnerabilities in two widely used OPC UA clients (Inductive Automation Ignition and Softing edgeAggregator). By abusing unsanitized OPC UA-provided fields they achieved cross-site scripting in the client web UIs and chained those primitives into remote code execution: Ignition via loading attacker-supplied JavaScript and abusing project event-scheduled Jython scripts, and Softing via XSS-triggered backup restore and a zip-slip that overwrote a shared object (libacl.so.1). The report lists CVE identifiers, demonstrates proof-of-concept chains used at Pwn2Own Miami 2023, and notes vendors released patches and mitigations.