ABB Cylon’s SQL Injection Adventure: When Your Building Management System Lets Hackers in for Coffee

ABB Cylon Aspect 3.08.03 (CookieDB) has a not-so-hidden talent for SQL injection! This building energy management solution is open to manipulation, allowing attackers to access databases and execute commands with ease. So, when it comes to ABB Cylon, remember: it’s not just cookies that crumble.

1P
Published: April 15, 2025 6:48 amAdded: April 15, 2025 at 12:15 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew cookies could be dangerous? ABB Cylon’s CookieDB is serving up more than just sweet treats; it’s serving SQL injections on a silver platter! Looks like their building management system needs a little less sugar and a lot more security. Time to debug those cookies before they crumble the whole building’s data security!

Key Points:

  • ABB Cylon’s building management systems are vulnerable to SQL injection attacks.
  • The vulnerability is found in the CookieDB component, affecting several series and firmware versions.
  • Key and user parameters are not properly sanitized, allowing attackers to manipulate SQL queries.
  • This security gap can lead to unauthorized database access and execution of arbitrary SQL commands.
  • Despite being “award-winning,” the system’s security needs some serious patchwork.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?