The Nimble Nerd white logo

ABB Cylon FLXeon Firmware Fiasco: Remote Code Execution Vulnerability Strikes Again 🚨

Behold, the ABB Cylon FLXeon BACnet controller, a marvel of building automation! However, it turns out it’s also a secret agent for chaos, offering remote code execution to anyone with valid credentials. Just push the right buttons (or in this case, parameters), and voilĂ , you’ve got yourself a rogue building controller!

1P
Published: April 11, 2025 2:54 pmAdded: April 11, 2025 at 8:35 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew changing passwords could be so dangerous? Apparently, ABB Cylon FLXeon controllers said, “Hold my beer,” and turned a simple password update into a hacker’s playground. If your HVAC system starts playing Mozart at 3 AM, you might want to blame the FLXeon for not escaping its password nightmares!

Key Points:

  • ABB Cylon FLXeon controllers are vulnerable to remote code execution through password update manipulation.
  • The vulnerability affects BACnet controllers used in smart building management.
  • An attacker needs valid credentials to exploit the vulnerability.
  • The flaw lies in improper handling of the newPassword PUT parameter.
  • The issue was discovered by cybersecurity researcher Gjoko Krstic, aka ‘LiquidWorm’.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?