← Advisories

ABB Cylon Aspect Studio 3.08.03 Insecure Permissions

Medium

Advisory ID

ZSL-2025-5951

Release Date

22 May 2025

Vendor

ABB Ltd. - https://www.global.abb

Affected Version

ASPECT-Studio <=3.08.03

CVE

N/A

Tested On

Microsoft Windows 10 Home (EN), OpenJDK 64-Bit Server VM Temurin-21.0.6+7

Summary

ABB Cylon ASPECT Studio is a graphical programming tool and integrated development environment (IDE) for ABB Cylon ASPECT products. It's used to engineer comprehensive area control and graphical user interface (GUI) solutions, containing a library of logical and graphical widgets. It allows users to monitor and control facilities from anywhere, providing insights into building performance and enabling timely reactions to issues.

Description

The application suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) for 'Authenticated Users' group.

Proof of Concept

abb_aspect_perm1.txtTXT

Disclosure Timeline

21.04.2024Vulnerability discovered.

22.04.2024Vendor contacted.

22.04.2024Vendor responds.

02.05.2024Working with the vendor.

21.05.2025No response from the vendor.

22.05.2025Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstorm.news/files/id/194980/

Changelog

22.05.2025Initial release

26.05.2025Added reference [1]