← Advisories

ABB Cylon Aspect 3.08.02 (userManagement.php) Cross-Site Request Forgery

Critical
Advisory ID
ZSL-2024-5870
Release Date
07 December 2024
Vendor
ABB Ltd. - https://www.global.abb
Affected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio, Firmware: <=3.08.02
CVE
CVE-2024-48846
Tested On
GNU/Linux 3.15.10 (armv7l), GNU/Linux 3.10.0 (x86_64), GNU/Linux 2.6.32 (x86_64), Intel(R) Atom(TM) Processor E3930 @ 1.30GHz, Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz, PHP/7.3.11, PHP/5.6.30, PHP/5.4.16, PHP/4.4.8, PHP/5.3.3, AspectFT Automation Application Server, lighttpd/1.4.32, lighttpd/1.4.18, Apache/2.2.15 (CentOS), OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64), OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

The ABB BMS/BAS controller allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept
abb_aspect_csrf1.htmlTXT
Disclosure Timeline
21.04.2024Vulnerability discovered.
22.04.2024Vendor contacted.
22.04.2024Vendor responds.
02.05.2024Working with the vendor.
03.12.2024Vendor releases version 3.08.03 to address this issue.
07.12.2024Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[2]https://www.cve.org/CVERecord?id=CVE-2024-48846
[3]https://nvd.nist.gov/vuln/detail/CVE-2024-48846
[4]https://packetstorm.news/files/id/183031/
[5]https://www.exploit-db.com/exploits/52231
Changelog
07.12.2024Initial release
09.12.2024Added reference [4]
09.05.2025Added reference [5]