ABB Cylon Aspect 3.08.02 (MIX) Session Validation Bypass
Title: ABB Cylon Aspect 3.08.02 (MIX) Session Validation Bypass
Advisory ID: ZSL-2025-5938
Type: Local/Remote
Impact: Security Bypass
Risk: (4/5)
Release Date: 22.05.2025
Firmware: <=3.08.02
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[03.12.2024] Vendor releases version 3.08.03 to address this issue.
[22.05.2025] Public security advisory released.
[26.05.2025] - Added reference [1]
Web: https://www.zeroscience.mk
e-mail: [email protected]
Advisory ID: ZSL-2025-5938
Type: Local/Remote
Impact: Security Bypass
Risk: (4/5)
Release Date: 22.05.2025
Summary
ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.Description
ABB Cylon Aspect suffers from a broken session management issue. The backend implements inconsistent session validation by prioritizing the Authorization header over the PHPSESSID cookie, which is typically used to authenticate access to the controller system’s admin panel. While the PHPSESSID governs access to core configuration areas, the Authorization header acts as a second factor for authenticating against the HMI interface exposed on port 7226 by the mix.jar service. However, the system fails to enforce both factors simultaneously. If a client supplies a valid-looking Authorization header, access is granted, even in the absence of a valid PHPSESSID. This flaw breaks the expected session integrity model and allows an attacker to bypass proper authentication by forging or reusing the Authorization header alone, effectively nullifying multi-factor session enforcement.Vendor
ABB Ltd. - https://www.global.abbAffected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-StudioFirmware: <=3.08.02
Tested On
GNU/Linux 3.15.10 (armv7l)GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vendor Status
[21.04.2024] Vulnerability discovered.[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[03.12.2024] Vendor releases version 3.08.03 to address this issue.
[22.05.2025] Public security advisory released.
PoC
abb_aspect_sess2.txtCredits
Vulnerability discovered by Gjoko Krstic - <[email protected]>References
[1] https://packetstorm.news/files/id/194966/Changelog
[22.05.2025] - Initial release[26.05.2025] - Added reference [1]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: [email protected]
