ABB Cylon’s XSS: A Factory-Sized Security Oops!

Attention web surfers: ABB Cylon Aspect 4.00.00 has a spicy new feature—unauthenticated XSS! That’s right, the BMS/BAS controller now offers a surprise JavaScript party in the user’s browser. Just tweak that ‘title’ GET parameter, and voila—it’s like having a hacker-themed pop-up book for your building’s energy management system!

1P
Published: April 16, 2025 8:36 amAdded: April 16, 2025 at 1:58 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Well, well, well, ABB Cylon Aspect, it seems your “award-winning” energy management system has decided to become a little too welcoming. While it’s great you’ve got a scalable solution, maybe you should scale up your security measures too. It’s one thing to manage building energy, but letting in malicious scripts for free? That’s a bit too generous, don’t you think? Time to put the “guard” back in “Vanguard” and chase those JavaScript bandits away!

Key Points:

  • ABB Cylon Aspect has a reflected XSS vulnerability in the ‘title’ parameter of the factorySaved.php script.
  • The flaw allows unauthenticated users to inject and execute arbitrary HTML/JS code.
  • The vulnerability mainly affects systems during the manufacturing phase.
  • Multiple versions and hardware configurations are vulnerable, including ARM and x86 architectures.
  • This vulnerability was discovered by Gjoko ‘LiquidWorm’ Krstic and reported under Advisory ID: ZSL-2025-5893.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?