ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.
ABB Cylon Aspect suffers from a broken session management issue. The backend implements inconsistent session validation by prioritizing the Authorization header over the PHPSESSID cookie, which is typically used to authenticate access to the controller system’s admin panel. While the PHPSESSID governs access to core configuration areas, the Authorization header acts as a second factor for authenticating against the HMI interface exposed on port 7226 by the mix.jar service. However, the system fails to enforce both factors simultaneously. If a client supplies a valid-looking Authorization header, access is granted, even in the absence of a valid PHPSESSID. This flaw breaks the expected session integrity model and allows an attacker to bypass proper authentication by forging or reusing the Authorization header alone, effectively nullifying multi-factor session enforcement.