CVE-2025-10207

CVE-2025-10207 affects ABB FLXEON controllers (through v9.3.5). The issue is due to improper input validation that could allow remote control of the device and arbitrary code execution, with high impact on confidentiality, integrity, and availability. Exploitation details are not provided in the ...

PT-2025-38312

Name of the Vulnerable Software and Affected Versions ABB FLXEON versions through 9.3.5 Description An improper validation of specified type of input issue exists in ABB FLXEON. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability...

CVE-2025-10205

Use of a One-Way Hash with a Predictable Salt vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5. and newer versions...

CVE-2025-10205

CVE-2025-10205 affects ABB FLXEON controllers (through 9.3.5 and newer). The issue arises from using a one-way hash with a predictable salt and low-entropy MD5 salt storage, enabling credential-related weaknesses and contributing to a remote code execution risk due to improper input validation. P...

ABB Cylon FLXeon 9.3.5 (bbmdList.js) Authenticated Config Poisoning

Summary BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boiler...

ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC

Summary BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boiler...

CVE-2024-48849 Authentication and Authorization Issues

Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON: through = 9.3.4...

CVE-2024-48849 Authentication and Authorization Issues

Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON: through = 9.3.4...

CVE-2024-48841 Remote Code Execution (RCE) Vulnerabilities

Network access can be used to execute arbitrary code with elevated privileges. This issue affects FLXEON 9.3.4 and older...

CVE-2024-48841 Remote Code Execution (RCE) Vulnerabilities

Network access can be used to execute arbitrary code with elevated privileges. This issue affects FLXEON 9.3.4 and older...

ABB FLXEON Controllers

SUMMARY An update is available that resolves a privately reported vulnerability in the product versions listed as affected in this advisory. FLXEON devices are not intended to be internet-facing. A product advisory issued in June 2023 informed customers of this parameter. An attacker can...