ABB’s Building Management Blunder: A Comedy of Script Errors

ABB Cylon’s Aspect software has a bug that lets savvy hackers in on a prank: by tinkering with the “host” parameter, they can execute an authenticated stored cross-site scripting attack. It’s like inviting hackers to a dinner party, with your browser as the main course.

1P
Published: April 15, 2025 6:38 amAdded: April 15, 2025 at 12:10 amAssembled by: The Editor
Pro Dashboard

Hot Take:

ABB’s building management system is managing more than just your energy — it’s also hosting a surprise XSS party! Talk about ‘smart’ devices, huh? The real energy usage here might just be in trying to patch this exploit before your building’s data turns into a hacker’s playground. Remember, folks, it’s all fun and games until someone scripts an alert box on your dashboard!

Key Points:

  • ABB’s ASPECT building management systems have been found vulnerable to a stored cross-site scripting (XSS) attack.
  • The vulnerability affects several series, including NEXUS, MATRIX-2, ASPECT-Enterprise, and ASPECT-Studio.
  • Input to the ‘host’ POST parameter is improperly sanitized, allowing execution of arbitrary HTML/JS code.
  • The issue exists in firmware versions <=3.08.02.
  • Discovered by Gjoko ‘LiquidWorm’ Krstic, the vulnerability is documented under CVE-2024-6516.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?