CISA Releases Fourteen Industrial Control Systems Advisories

CISA released fourteen Industrial Control Systems ICS advisories on September 9, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-252-01 Rockwell Automation ThinManager ICSA-25-252-02 ABB Cylon Aspect BMS/BAS...

ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)

ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution RCE Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: =3.08.04 Summary: ASPECT is an award-winning scalable building energy management...

ABB Cylon Aspect 3.08.04 (DeploySource) Unauthenticated Remote Code Execution

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the...

ABB Cylon Aspect Studio 3.08.03 - Binary Planting

Exploit Title: ABB Cylon Aspect Studio 3.08.03 - Binary Planting Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: type project P R O J E C T .| | | |'| . | | |. |' .---"| .-' '-. | | .--'| || | | | .-'| .| | || '- | | | || | |' | |. | || | | | | || | | '-' ' "" '-' '-.'...

ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation

!/usr/bin/env python Exploit Title: ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: =3.08.03 Summary: ASPECT is an award-winning scalabl...

ABB Cylon Aspect 3.08.03 (login.php) Obscure Authentication Bypass

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB Cylon Aspect BAS controller allows login using guest:guest,...

ABB Cylon Aspect 3.08.03 (logYumLookup.php) Hybrid Path Traversal

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB Cylon Aspect BAS controller is vulnerable to an authenticated...

ABB Cylon Aspect 3.08.03 (MIX->NTPServlet) Time Manipulation

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description ABB Cylon Aspect MIX's NTPServlet allows NTP config changes via the...

ABB Cylon Aspect 3.08.03 (productRemovalUpdate.php) Remote Code Execution

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB BMS/BAS controller suffers from an authenticated blind OS...

ABB Cylon BACnet MS/TP Kernel Module (mstp.ko) Out-of-Bounds Write in SendFrame()

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. BACnet Smart Building Controllers. ABB's BACnet portfolio features a series of...

ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the...

ABB Cylon Aspect Studio 3.08.03 (CylonLicence.dll) Binary Planting

Summary ABB Cylon ASPECT Studio is a graphical programming tool and integrated development environment IDE for ABB Cylon ASPECT products. It's used to engineer comprehensive area control and graphical user interface GUI solutions, containing a library of logical and graphical widgets. It allows...

ABB Cylon Aspect 3.08.03 (logMixDownload.php) Remote Code Execution

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB BMS/BAS controller suffers from an authenticated blind OS...

ABB Cylon Aspect Studio 3.08.03 Insecure Permissions

Summary ABB Cylon ASPECT Studio is a graphical programming tool and integrated development environment IDE for ABB Cylon ASPECT products. It's used to engineer comprehensive area control and graphical user interface GUI solutions, containing a library of logical and graphical widgets. It allows...

ABB Cylon Aspect 3.08.03 (Java/PHP) Log Forging

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description Multiple PHP and Java components across the system fail to properly...

ABB Cylon Aspect 3.08.03 (MIX->HTTPDownloadServlet) File Deletion

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the...

ABB Cylon FLXeon 9.3.5 (variant.js) Unauthenticated System Information Disclosure

Summary BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boiler...

📄 ABB Cylon FLXeon 9.3.5 capture.js Authenticated File Disclosure / Deletion

The ABB Cylon FLXeon BACnet controller is vulnerable to a path traversal flaw in its capture.js endpoint due to unsanitized user input being directly concatenated into a filesystem path. An attacker can exploit this by supplying crafted file names to access arbitrary files outside the intended va...

ABB Cylon FLXeon 9.3.5 (siteGuide.js) Authenticated Root Remote Code Execution

Summary BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boiler...

ABB Cylon FLXeon 9.3.5 (uukl.js) Predictable Salt and Weak Hashing Algorithm

Summary BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boiler...