vendor:
ABB Cylon Aspect
by:
Gjoko 'LiquidWorm' Krstic
6.1
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: ABB Cylon Aspect
Affected Version From: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware version 0.00.00
Affected Version To: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware version 4.00.00
Patch Exists: NO
Related CWE: CVE-2024-XXXX (not provided in the text)
CPE: abb:cylon_aspect_firmware
Platforms Tested: GNU/Linux, Intel processors, PHP, AspectFT Automation Application Server, lighttpd, Apache, OpenJDK, ErgoTech MIX Deployment Server
2024
ABB Cylon Aspect 4.00.00 Remote Code Execution Vulnerability
The ABB Cylon Aspect BMS/BAS controller before 4.00.00 allows unauthenticated attackers to execute arbitrary shell commands via unsanitized input in the serial and ManufactureDate POST parameters. This vulnerability can be exploited during the manufacturing phase when factory test scripts are present.
Mitigation:
To mitigate this vulnerability, ensure that input is properly sanitized before processing. Additionally, restrict access to the affected parameters and regularly monitor for unauthorized access attempts.
