header-logo
Suggest Exploit
vendor:
ABB Cylon Aspect
by:
Gjoko 'LiquidWorm' Krstic
6.1
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: ABB Cylon Aspect
Affected Version From: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware version 0.00.00
Affected Version To: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware version 4.00.00
Patch Exists: NO
Related CWE: CVE-2024-XXXX (not provided in the text)
CPE: abb:cylon_aspect_firmware
Metasploit:
Other Scripts:
Platforms Tested: GNU/Linux, Intel processors, PHP, AspectFT Automation Application Server, lighttpd, Apache, OpenJDK, ErgoTech MIX Deployment Server
2024

ABB Cylon Aspect 4.00.00 Remote Code Execution Vulnerability

The ABB Cylon Aspect BMS/BAS controller before 4.00.00 allows unauthenticated attackers to execute arbitrary shell commands via unsanitized input in the serial and ManufactureDate POST parameters. This vulnerability can be exploited during the manufacturing phase when factory test scripts are present.

Mitigation:

To mitigate this vulnerability, ensure that input is properly sanitized before processing. Additionally, restrict access to the affected parameters and regularly monitor for unauthorized access attempts.
Source

Exploit-DB raw data:

# Exploit title : ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) Remote Code Execution
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=4.00.00

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated
blind command injection vulnerability. Input passed to the serial and ManufactureDate
POST parameters is not properly sanitized, allowing attackers to execute arbitrary
shell commands on the system. While factory test scripts included in the upgrade
bundle are typically deleted, a short window for exploitation exists when the device
is in the manufacturing phase.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5894
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5894.php


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 


$ curl http://192.168.73.31/factorySetSerialNum.php \
> -d "serial=;sleep 2&ManufactureDate=;sleep 3"

Navigation

Suggest Exploit

Services By CQR