ABB Cylon’s File Disclosure Fiasco: When Your Database Files Go on a World Tour!
ABB Cylon ASPECT has a vulnerability that could turn your building management system into an open book. Thanks to an authenticated arbitrary file disclosure flaw, the downloadDb.php script is like the nosy neighbor peeking through your windows—revealing your sensitive files without proper verification. Upgrade your firmware and keep your secrets… secret!
Hot Take:
Here’s a spicy scoop for all you cybersecurity aficionados: ABB’s Aspect 3.07.02 is spilling its secrets faster than a teenager’s diary left open at the breakfast table. With a vulnerability that let’s you peek into its innermost files, it’s practically the digital equivalent of leaving your front door ajar with a neon “Welcome Hackers” sign. If you’re using this building management system, you might want to double-check that all your virtual doors are locked tight—or at least not held open by a PHP script.
Key Points:
- ABB’s Aspect building management system has an authenticated arbitrary file disclosure vulnerability.
- The vulnerability stems from improper verification of the ‘file’ GET parameter in the ‘downloadDb.php’ script.
- This flaw allows directory traversal attacks, exposing sensitive files.
- Affected versions include NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, and ASPECT-Studio with firmware <=3.07.02.
- Discovered by Gjoko ‘LiquidWorm’ Krstic, the advisory is labeled ZSL-2024-5831.