ABB Cylon’s Comedy of Errors: Remote Code Execution Leaves Systems Vulnerable

The ABB Cylon Aspect 3.08.02 has a flaw that turns building management into a comedy of errors, with hackers starring as unwanted guests. Thanks to an OS command injection vulnerability, an innocent .db file can become a mischievous prankster, executing commands like a rogue magician. Who knew building energy management could be so electrifyingly entertaining?

1P
Published: April 15, 2025 6:38 amAdded: April 15, 2025 at 12:10 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like ABB’s Cylon Aspect system just graduated from managing buildings to hosting a cybersecurity horror show! With a neat little trick, hackers can now take a stroll inside your building’s energy management system, having their way with shell commands. Who knew building management could be this thrillingly dangerous?

Key Points:

  • ABB Cylon Aspect BMS/BAS controller has an authenticated OS command injection vulnerability.
  • The vulnerability affects several firmware versions, including NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, and ASPECT-Studio.
  • Exploitation involves uploading a .db file with malicious commands, bypassing filename sanitization.
  • Advisory ID: ZSL-2025-5904 and CVE ID: CVE-2024-48839.
  • Discovered by cybersecurity researcher Gjoko ‘LiquidWorm’ Krstic.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?