ABB Cylon Aspect 3.08.03 (MIX->NTPServlet) Time Manipulation
Title: ABB Cylon Aspect 3.08.03 (MIX->NTPServlet) Time Manipulation
Advisory ID: ZSL-2025-5943
Type: Local/Remote
Impact: Security Bypass, Manipulation of Data, DoS
Risk: (5/5)
Release Date: 22.05.2025
Firmware: <=3.08.03
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[21.05.2025] No response from the vendor.
[22.05.2025] Public security advisory released.
[26.05.2025] - Added reference [1]
Web: https://www.zeroscience.mk
e-mail: [email protected]
Advisory ID: ZSL-2025-5943
Type: Local/Remote
Impact: Security Bypass, Manipulation of Data, DoS
Risk: (5/5)
Release Date: 22.05.2025
Summary
ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.Description
ABB Cylon Aspect MIX's NTPServlet allows NTP config changes via the Host: 127.0.0.1 bypass, writing attacker-controlled hosts to NTPTickers and syncing the system clock. A malicious NTP server can manipulate time, enabling DoS or time-based attacks.Vendor
ABB Ltd. - https://www.global.abbAffected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-StudioFirmware: <=3.08.03
Tested On
GNU/Linux 3.15.10 (armv7l)GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vendor Status
[21.04.2024] Vulnerability discovered.[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[21.05.2025] No response from the vendor.
[22.05.2025] Public security advisory released.
PoC
abb_aspect_dos3.txtCredits
Vulnerability discovered by Gjoko Krstic - <[email protected]>References
[1] https://packetstorm.news/files/id/194971/Changelog
[22.05.2025] - Initial release[26.05.2025] - Added reference [1]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: [email protected]
