The Issue

Microsoft JDBC driver for SQL Server is vulnerable to a hostname spoofing issue due to a flaw in the driver's SSL certificate validation functionality, specifically the parseCommonName() method. This method performs unsafe string parsing on the "canonical" format of X.509 Distinguished Names, which can be exploited by malicious certificates. This is outlined in CVE-2025-59250 (CVSS v3 8.1 “high”).

To exploit this issue, an attacker could redirect  a victim’s existing Ignition MS SQL database connection to a malicious server through techniques like DNS poisoning or phishing. The attacker could then supply a crafted, malicious X.509 certificate that bypasses hostname validation by embedding fake hostnames within other certificate attributes. This could cause the JDBC driver to trust the certificate and enable attacker-in-the-middle attacks through allowing the attacker to intercept SQL credentials.

The Solution

Upgrade the MSSQL JDBC Driver

IA recommends downloading and installing the latest stable production MSSQL JDBC driver (version 13.2.1 at the time of this writing). The CVE outlines all fixed versions.

For instructions on upgrading JDBC drivers see the User Manual page JDBC Drivers and Translators page based on your Ignition version:

• 8.1 or lower
• 8.3

New Connection Setting and Certificate Requirements

Another important detail regarding this solution is that there are potential breaking changes that can occur with MSSQL JDBC drivers using versions 10.2 or higher:

• TLS encryption is now enabled by default unless the “encrypt” connection property is set to false explicitly.
• When encrypt = false but the server requires encryption, the certificate is validated based on the trustServerCertificate connection setting.

Review these connection properties before upgrading your JDBC driver to ensure your connections are properly secured and do not result in a faulted state. 

For a secure connection with these changes, apply the following parameters to the Default Connection Properties setting located under the MSSQL JDBC Driver & Default Settings:

encrypt=true;trustServerCertificate=false

By setting encrypt to true and trustServerCertificate to false, your MSSQL database connections will now require a supplemental database server certificate be added to the Ignition Gateway’s supplemental keystore which is strongly recommended by IA. See the Ignition User Manual page on Security Certificates for more information on where to add your own security certificate.

However, if certificates are not possible at the moment, and a more temporary solution is required to defer the problem, set encrypt = false and trustServerCertificate = true explicitly to force the old default values. Please keep in mind that this option will result in an unsecure configuration that is not recommended as a permanent solution.