The ABB Cylon Aspect BMS/BAS controller through webServerDeviceLabelUpdate.php script allows authenticated attackers to inject arbitrary content via the 'deviceLabel' POST parameter, leading to writing content to a fixed file location (/usr/local/aam/etc/deviceLabel) and potentially causing denial of service.