ABB Cylon Aspect 3.08.02 PHP Session Fixation Vulnerability
Title: ABB Cylon Aspect 3.08.02 PHP Session Fixation Vulnerability
Advisory ID: ZSL-2025-5916
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, Cross-Site Scripting
Risk: (4/5)
Release Date: 09.02.2025
Firmware: <=3.08.02
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[03.12.2024] Vendor releases version 3.08.03 to address this issue.
[09.02.2025] Public security advisory released.
[2] https://www.cve.org/CVERecord?id=CVE-2024-11317
[3] https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-01
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/390814
[5] https://packetstorm.news/files/id/189097/
[6] https://www.securityweek.com/researcher-says-abb-building-control-products-affected-by-1000-vulnerabilities/
[10.02.2025] - Added reference [5] and [6]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2025-5916
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, Cross-Site Scripting
Risk: (4/5)
Release Date: 09.02.2025
Summary
ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.Description
The ABB Cylon Aspect BMS/BAS controller is vulnerable to session fixation, allowing an attacker to set a predefined PHPSESSID value. An attacker can leverage an unauthenticated reflected XSS vulnerability in jsonProxy.php to inject a crafted request, forcing the victim to adopt a fixated session.Vendor
ABB Ltd. - https://www.global.abbAffected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-StudioFirmware: <=3.08.02
Tested On
GNU/Linux 3.15.10 (armv7l)GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vendor Status
[21.04.2024] Vulnerability discovered.[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[03.12.2024] Vendor releases version 3.08.03 to address this issue.
[09.02.2025] Public security advisory released.
PoC
abb_aspect_sess1.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch[2] https://www.cve.org/CVERecord?id=CVE-2024-11317
[3] https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-01
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/390814
[5] https://packetstorm.news/files/id/189097/
[6] https://www.securityweek.com/researcher-says-abb-building-control-products-affected-by-1000-vulnerabilities/
Changelog
[09.02.2025] - Initial release[10.02.2025] - Added reference [5] and [6]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
