ABB Cylon FLXeon Vulnerability: When Smart Buildings Get Hacked (And Not in a Cool Way)

The ABB Cylon FLXeon controller is dealing with a case of bad timing—literally. Its timeConfig.js script is so vulnerable that even a slightly mischievous hacker with login details can pull off authenticated remote code execution. It’s like giving a cat the house keys and wondering why your curtains are shredded.

1P
Published: April 11, 2025 3:05 pmAdded: April 11, 2025 at 8:36 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew that time travel could be achieved with a little bit of code and a lot of vulnerability? The ABB Cylon FLXeon controllers have taken us back to a time when remote code execution was just a twinkle in a hacker’s eye. Kudos to ABB for making sure nostalgia isn’t left out of their smart building automation!

Key Points:

  • ABB Cylon FLXeon controllers are vulnerable to authenticated remote code execution.
  • The vulnerability exists in the /api/timeConfig endpoint due to improper input validation.
  • Authenticated attackers can inject arbitrary commands by manipulating time-related parameters.
  • The issue affects firmware versions up to 9.3.4 across several ABB controller series.
  • Discovered by security researcher Gjoko ‘LiquidWorm’ Krstic with an advisory ID of ZSL-2025-5910.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?