ABB Cylon Aspect 3.08.02 (MIX) Session Validation Bypass

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description ABB Cylon Aspect suffers from a broken session management issue. The...

ABB Cylon Aspect 3.07.02 - File Disclosure

Exploit Title : ABB Cylon Aspect 3.07.02 - File Disclosure Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: =3.07.02 Summary: ASPECT is an award-winning scalable building energy management and...

ABB Cylon FLXeon 9.3.4 Insecure Backup Sensitive Data Exposure Vulnerability

ABB Cylon FLXeon version 9.3.4 has backups that contain sensitive system files, including main.db, SSL/TLS certificates and keys, the system shadow file with hashed passwords, and the license key. ABB Cylon FLXeon 9.3.4 Insecure Backup Sensitive Data Exposure Vendor: ABB Ltd. Product web page:...

ABB Cylon FLXeon 9.3.4 Unauthenticated Dashboard Access

ABB Cylon FLXeon version 9.3.4 allows unauthenticated access to the Building Management System BMS or Building Automation System BAS dashboard. This exposes sensitive information, including system status, events, and alarms related to HVAC operations. Additionally, an attacker could manipulate...

ABB Cylon FLXeon 9.3.4 runtimeSetup.sh Hidden Backdoor Account Vulnerability

ABB Cylon FLXeon version 9.3.4 has a hidden administrative account cxpro that has write access permissions to the device. ABB Cylon FLXeon 9.3.4 runtimeSetup.sh Hidden Backdoor Account Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: FLXeon Series FBXi Series, FBTi...

ABB Cylon Aspect 3.08.02 Cookie User Password Disclosure Vulnerability

ABB Cylon Aspect version 3.08.02 suffers from cleartext transmission and storage of sensitive information in a Cookie. This includes the globals parameter, where authdata contains base64-encoded credentials. A remote attacker can intercept the HTTP Cookie, including authentication credentials,...

ABB Cylon Aspect 3.08.02 (syslogUpdate.php) Remote Code Execution

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB BMS/BAS controller suffers from an authenticated OS command...

ABB Cylon Aspect 3.08.01 (vstatConfigurationDownload.php) Config Download

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. The addition of vSTAT, a Virtual Zone application, allows for authorised users to...

ABB Cylon Aspect 3.08.00 Off-By-One

ABB Cylon Aspect 3.08.00 logMix/YumLookup.php Off-by-One Error in Log Parsing Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: =3.08.00 Summary: ASPECT is an award-winning scalable building energy...

ABB Cylon Aspect 3.08.01 File Upload MD5 Checksum Bypass

ABB Cylon Aspect 3.08.01 badassMode File Upload MD5 Checksum Bypass Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: =3.08.01 Summary: ASPECT is an award-winning scalable building energy managemen...

ABB Cylon Aspect 3.08.01 (badassMode) File Upload MD5 Checksum Bypass

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB BMS/BAS system has a vulnerability in caldavInstall.php,...

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Servlet Inclusion Authentication Bypass

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB BMS/BAS controller is vulnerable to remote, arbitrary servlet...

ABB Cylon Aspect 3.08.01 jsonProxy.php Information Disclosure Vulnerability

ABB Cylon Aspect 3.08.01 jsonProxy.php Information Disclosure Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: =3.08.01 Summary: ASPECT is an award-winning scalable building energy management and...

ABB Cylon Aspect 3.08.01 jsonProxy.php Cross Site Scripting

ABB Cylon Aspect 3.08.01 jsonProxy.php Unauthenticated Reflected XSS Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: =3.08.01 Summary: ASPECT is an award-winning scalable building energy manageme...

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Unauthenticated Reflected XSS

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB BMS/BAS controller suffers from an unauthenticated reflected...

ABB Cylon Aspect 3.08.01 Active Debug Data Exposure Vulnerability

ABB Cylon Aspect version 3.08.01 is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. ABB Cylon Aspect 3.08.01 auth/ Active Debug Code Vulnerability Vendor: ABB Ltd. Product web page:...

ABB Cylon Aspect 3.08.01 jsonProxy.php Servlet Inclusion Authentication Bypass Vulnerability

ABB Cylon Aspect version 3.08.01 is vulnerable to remote, arbitrary servlet inclusion. The jsonProxy.php endpoint allows unauthenticated remote attackers to access internal services by proxying requests to localhost. This results in an authentication bypass, enabling attackers to interact with...

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Unauthenticated Credentials Disclosure

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB BMS/BAS controller allows an unauthenticated attacker to...

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Unauthenticated Project Download

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The jsonProxy.php endpoint on the ABB BMS/BAS controller is vulnerabl...

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Denial of Service

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The jsonProxy.php endpoint on the ABB BMS/BAS controller is vulnerabl...