ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. The AAM PUP (Primary Utility Protocol) is a proprietary protocol supported by certain building management systems, such as the ABB MATRIX-2 series controllers. It is used for communication and integration with various utility devices within a building's control system. This protocol supports supervisory functions like energy management, alarm and event handling, historical trending, and scheduling.
The ABB Cylon ASPECT system contains an unauthenticated information disclosure vulnerability in the pupDumpStats.php script. When this endpoint is accessed, it triggers the download of a sensitive debug file located at /usr/local/aam/var/pupdbg.dump. This file may contain internal system information, including protocol states, transaction logs, and system mappings. The vulnerability arises from an Insecure Direct Object Reference (IDOR) issue, where the script does not validate or authenticate the requester before allowing access to the debug file. Exploiting this flaw enables an attacker to retrieve sensitive operational data, potentially aiding in further exploitation of the system.