CVE-2025-53187: Critical RCE in ABB ASPECT BMS with CVSS 9.8, No Prior Authentication

ABB has issued a cybersecurity advisory disclosing multiple vulnerabilities affecting its ASPECT Building Management System (BMS), including an authentication bypass rated CVSS 9.8. While patches exist for some flaws, ABB notes that certain issues will not receive corrective measures, urging customers to take immediate protective actions.

ABB confirmed three major vulnerabilities impacting ASPECT firmware versions prior to 3.08.04-s01:

• CVE-2025-53187 – Authentication Bypass (CVSS 9.8): ABB explains, “Due to an issue in configuration, code that was intended for debugging purposes, was included in the market release of the ASPECT FW allowing to bypass authentication… An attacker was able to change the system time, access files and make function calls (RCE) without prior authentication.”
• CVE-2025-7677 – Denial of Service (CVSS 5.9): A buffer copy issue can cause a software crash, leaving devices unavailable. ABB states, “This issue affects all versions of ASPECT. No plans of corrective measures exist.”
• CVE-2025-7679 – Session ID Basic Auth Bypass (CVSS 8.1): This flaw allows attackers to bypass authentication in certain contexts. ABB confirms, “The ASPECT system allows users to bypass authentication. This issue affects all versions of ASPECT.”

ASPECT is widely deployed as an on-premise BMS but often configured for remote access. ABB stresses that devices “are not intended to be internet-facing” and warns that successful exploitation could compromise confidentiality, integrity, and availability of system data.

Although no exploitation has been observed, ABB cautions that misconfigured systems exposed to the internet are at risk. An attacker who successfully exploited this vulnerability might be able to tamper with data, compromise integrity, and even run arbitrary code.

ABB urges customers to take the following immediate steps:

• Disconnect exposed systems: Stop and disconnect any ASPECT products that are exposed directly to the Internet.
• Apply firmware updates: Upgrade to version 3.08.04-s01 or later to fix CVE-2025-53187.
• Implement physical and network controls: Ensure only authorized personnel can access devices; isolate ASPECT systems behind firewalls.
• Secure remote access: If remote connectivity is required, use a VPN with the latest patches and secure configurations.
• Change default credentials: ABB highlights the importance of updating all default credentials during commissioning.

Related Posts:

• Critical ABB EIBPORT Flaw: Update Now to Prevent Building Automation Hijacks!
• ABB ASPECT BMS Critical Flaws: RCE and Privilege Escalation Risks
• Urgent Action Needed: ABB ASPECT Vulnerabilities Expose Buildings to Cyberattacks
• ABB Door Communication Systems exposed serious flaws
• CVE-2024-51547 (CVSS 9.8): Hard-Coded Credentials in ABB ASPECT

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy