📄 ABB Cylon FLXeon 9.3.5 siteGuide.js Authenticated Directory Traversal

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated file traversal via the /api/siteGuide endpoint. An attacker with valid credentials can manipulate the filename parameter to move and access or overwrite arbitrary files. The issue arises due to improper input validation in...

ABB Cylon FLXeon 9.3.4 Unauthenticated Dashboard Access Vulnerability

ABB Cylon FLXeon version 9.3.4 allows unauthenticated access to the Building Management System BMS or Building Automation System BAS dashboard. This exposes sensitive information, including system status, events, and alarms related to HVAC operations. Additionally, an attacker could manipulate...

ABB Cylon FLXeon 9.3.4 (users.js) Authenticated Root Remote Code Execution

Summary BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boiler...

ABB Cylon FLXeon 9.3.4 (timeConfig.js) Authenticated Root Remote Code Execution

Summary BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boiler...