Urgent Action Needed: ABB ASPECT Vulnerabilities Expose Buildings to Cyberattacks

ABB has issued a critical cyber security advisory for its ASPECT system, a building energy management platform. The advisory, released on December 5, 2024, details multiple vulnerabilities that could allow attackers to take remote control of the system and potentially execute malicious code.

The vulnerabilities, which affect various versions of ASPECT, range from unauthorized access and remote code execution to cross-site scripting and denial-of-service attacks. ABB has assigned CVSS v3.1 base scores as high as 10.0, indicating the severity of these flaws.

The advisory highlights numerous vulnerabilities, including:

• CVE-2024-6298 (CVSS 10): Remote Code Execution (RCE)
  Improper input validation could allow attackers to execute arbitrary code remotely. ABB notes that “an attacker can successfully exploit these vulnerabilities and could take remote control of the product and potentially insert and run arbitrary code.”
• CVE-2024-6515 (CVSS 9.6): Clear Text Passwords
  Passwords may be handled in clear text or Base64 encoding, increasing the risk of unintended credential exposure.
• CVE-2024-51551 (CVSS 10): Default Credentials
  Devices using publicly available default credentials are susceptible to unauthorized access, emphasizing the need for immediate credential updates.
• CVE-2024-51549 (CVSS 10): Absolute Path Traversal
  This vulnerability enables access to and modification of unintended resources, posing significant security risks.

The advisory emphasizes that ASPECT devices are not designed to be internet-facing. ABB has reiterated its previous warnings to customers, stating, “ASPECT devices are not intended to be internet-facing. A product advisory issued in June 2023 informed customers of this parameter.”

Despite this, the vulnerabilities reported in this advisory are only exploitable if attackers can access the network segment where ASPECT is installed and exposed directly to the internet.

ABB acknowledged Gjoko Krstikj from Zero Science Lab for responsibly reporting the vulnerabilities. The company has released firmware updates to address the issues and is urging customers to apply them immediately.

To mitigate risks, ABB has outlined immediate steps:

1. Disconnect Internet-Exposed Devices
   Remove any ASPECT systems directly connected to the internet or configured with insecure network settings.
2. Upgrade Firmware
   Ensure all ASPECT products are updated to version 3.08.03 or newer, which addresses these vulnerabilities.
3. Implement Secure Access Controls
   Use secure Virtual Private Networks (VPNs) for remote access and ensure firewalls protect ASPECT installations.
4. Change Default Credentials
   ABB emphasizes the critical importance of changing default passwords immediately after installation.

For more information, visit ABB’s cybersecurity page.

Related Posts:

• ABB Door Communication Systems exposed serious flaws
• ABB Warns of Critical ASPECT System Vulnerabilities: CVE-2024-6209 and CVE-2024-6298
• Critical Vulnerabilities Discovered in Ivanti Connect Secure and Policy Secure
• WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities