← Advisories

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Servlet Inclusion Authentication Bypass

Critical
Advisory ID
ZSL-2024-5854
Release Date
30 October 2024
Vendor
ABB Ltd. - https://www.global.abb
Affected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio, Firmware: <=3.08.01
CVE
N/A
Tested On
GNU/Linux 3.15.10 (armv7l), GNU/Linux 3.10.0 (x86_64), GNU/Linux 2.6.32 (x86_64), Intel(R) Atom(TM) Processor E3930 @ 1.30GHz, Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz, PHP/7.3.11, PHP/5.6.30, PHP/5.4.16, PHP/4.4.8, PHP/5.3.3, AspectFT Automation Application Server, lighttpd/1.4.32, lighttpd/1.4.18, Apache/2.2.15 (CentOS), OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64), OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

The ABB BMS/BAS controller is vulnerable to remote, arbitrary servlet inclusion. The jsonProxy.php endpoint allows unauthenticated remote attackers to access internal services by proxying requests to localhost. This results in an authentication bypass, enabling attackers to interact with multiple java servlets without authorization, potentially exposing sensitive system functions and information.

Proof of Concept
abb_aspect_rfi1.txtTXT
Disclosure Timeline
21.04.2024Vulnerability discovered.
22.04.2024Vendor contacted.
22.04.2024Vendor responds.
02.05.2024Working with the vendor.
07.08.2024Vendor released version 3.08.02 to address this issue.
30.10.2024Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/182402/
[2]https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[3]https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-01
Changelog
30.10.2024Initial release
01.09.2025Added reference [2] and [3]