ABB Cylon’s XSS Slip-Up: When Smart Buildings Get a Sneaky Script Surprise!

ABB Cylon Aspect 3.08.02 was found to have a stored cross-site scripting (XSS) vulnerability in the licenseUpload.php file. This flaw allows attackers to upload a malicious .txt file, turning your building control system into a playground for hackers. It’s like inviting a clown to your security meeting—chaos ensues!

1P
Published: April 15, 2025 6:38 amAdded: April 15, 2025 at 12:10 amAssembled by: The Editor
Pro Dashboard

Hot Take:

ABB’s Cylon Aspect may be an ‘award-winning’ energy management system, but with its latest vulnerability, it seems to have won a special award for “Most Likely to Get Hacked by a Basic Script Kid.” Who knew that managing your building’s energy could also come with a side of impending cyber doom? ABB, it’s time to patch those holes or prepare for a dramatic episode of “When Building Management Systems Go Rogue!”

Key Points:

  • ABB Cylon Aspect 3.08.02 has a stored cross-site scripting (XSS) vulnerability.
  • The vulnerability allows for malicious scripts to execute via file uploads.
  • Sanitization is limited to filenames, not the file content itself.
  • XSS can be triggered by users accessing infected files or related web pages.
  • Discovered by security researcher Gjoko ‘LiquidWorm’ Krstic.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?