ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2025-04-03 
# Exploit Title : ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.07.01

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller is operating with default and hard-coded
credentials contained in install package while exposed to the Internet.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           phpMyAdmin 2.11.9


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience

Reported by DIVD


Advisory ID: ZSL-2024-5830
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5830.php
CVE ID: CVE-2024-4007
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4007


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ cat max/var/www/html/phpMyAdmin/config.inc.php | grep control
$cfg['Servers'][$i]['controluser'] = 'root';
$cfg['Servers'][$i]['controlpass'] = 'F@c1liTy';


ABB Cylon Aspect 3.07.01 — Hard-coded Default Credentials (CVE-2024-4007)

The ABB Cylon ASPECT family (NEXUS, MATRIX-2, ASPECT-Enterprise, ASPECT-Studio) prior to and including firmware 3.07.01 ships with hard-coded/default credentials inside installation artifacts. When reachable from untrusted networks these defaults allow unauthorized access to web interfaces and management components, increasing risk for unauthorized control, data exposure, lateral movement, and persistent compromise of building management systems (BMS/BAS).

Quick summary

  • Vulnerability: Embedded/hard-coded default credentials in install packages and shipped components.
  • CVE: CVE-2024-4007
  • Vendor: ABB Ltd.
  • Affected versions: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio — firmware <= 3.07.01
  • Impact: Remote or local authentication bypass where defaults are present and accessible; potential full control of building automation functions if exposed.
  • Public advisory: ZSL-2024-5830 (Zeroscience), MITRE CVE entry

Why this is serious

Building management systems control HVAC, lighting, access and other critical infrastructure. Hard-coded credentials mean every deployment that still contains the default values is trivially discoverable and accessible by attackers who can reach the service. Even if only administrative web consoles (e.g., phpMyAdmin, custom admin portals) are affected, attackers can pivot from there to other devices on the same network or load malicious payloads.

Technical description (high-level)

Install packages for ASPECT include configuration files and management components that define an administrative control account — in some instances a phpMyAdmin control account was set to a predictable username and password. Those values were present in the file system and, when the device was exposed to the Internet, accessible via the web UI or over other services. The vulnerability stems from using static secrets instead of per-installation credentials and not forcing a first-run password change.

Affected components and environment notes

ComponentNotes
ASPECT automation application serverIncludes web management UI and bundled apps
phpMyAdmin (bundled)Observed controluser credentials in config.inc.php inside webroot
Web serverslighttpd and Apache packaged with device images

Detection and discovery (defensive guidance)

Detection should be focused on two tracks: locating devices with default credentials in your estate, and searching for signs of unauthorized access where credentials were abused.

  • Inventory & exposure: Enumerate devices running ASPECT/NEXUS/MATRIX using asset management or network discovery. Note public IPs and firewall rules that allow external reachability to management ports (80/443, SSH, 3306, etc.).
  • File-system search (local): If you can access device firmware or backups, search for common control variables like controluser/controlpass or other obvious strings. Example (local administration use):
# Search a local firmware extract or backup for phpMyAdmin control user strings
grep -R --line-number -i "controlpass" ./extracted_firmware || true

Explanation: This command recursively searches the extracted firmware or webroot directory for the string "controlpass" and prints matching file paths and line numbers. Use it on trusted copies of device files during an investigation. Do not use this to attack third-party systems.

  • Network scans (risk-aware): Use internal network scanning tools to identify hosts exposing known ASPECT web pages or headers. Rather than brute forcing credentials, look for the product banner or web paths that identify a vulnerable stack.
  • SIEM / logs: Look for suspicious logins from unknown IPs, failed-then-successful authentication sequences, or web shell uploads. Outbound connections to unfamiliar hosts from the BMS are a strong indicator of compromise.

Indicators of Compromise (IoCs)

  • Presence of a phpMyAdmin config.inc.php with default control credentials (e.g., controluser = 'root', controlpass = 'F@c1liTy') in the device webroot.
  • Unexpected services listening on management ports and accessible from WAN.
  • Unusual scheduled tasks, modified web pages, or newly added users on the device.
  • Outbound connections to hubs or C2 infrastructure after discovery or access.

Immediate mitigation (recommended steps)

  • Block external access — place devices behind a firewall and restrict management interfaces to trusted networks or VPN-only access.
  • Perform an inventory and prioritize devices with public-facing management interfaces for immediate remediation.
  • Change any default or hard-coded credentials to strong, unique passwords and rotate them. If a password is embedded in a shipped file, remove/replace it in the deployed configuration.
  • Apply vendor-supplied updates and patches. Contact ABB support for firmware updates that remove hard-coded secrets; install firmware > 3.07.01 if available.
  • Harden accompanying services: remove or restrict phpMyAdmin, disable unnecessary web servers, and implement network segmentation to limit access to the BMS.

How to safely replace default credentials

Below is a safe configuration example for phpMyAdmin's config.inc.php showing a non-default control user. This is a defensive configuration example — deploy it only on systems you own and have authorization to manage.

/* Example phpMyAdmin config snippet — replace with secure values */$cfg['Servers'][$i]['controluser'] = 'pmadb_admin';
$cfg['Servers'][$i]['controlpass'] = 'REPLACE_WITH_STRONG_UNIQUE_PASSWORD';
$cfg['Servers'][$i]['auth_type'] = 'cookie';  // avoid storing plain passwords when possible

Explanation: Replace the control user and control password with a unique, strong value. Prefer auth_type 'cookie' so the admin password is not stored in plaintext in webroot. After changing configuration, ensure proper file permissions (owner root/admin, mode 600) and restrict access to the webroot.

# Example: generate a 32-character password locally (Linux)
openssl rand -base64 24

Explanation: This generates a random password string suitable for use as a strong credential. Use secure secret management (vaults) to store and rotate these values rather than leaving secrets in plaintext files.

Hardening best practices

  • Enforce network segmentation: place building management systems on dedicated VLANs with strict ACLs.
  • Limit management access: require VPN or jump-host access for administrative functions and disable direct WAN reachability.
  • Remove bundled tools not required for runtime (e.g., phpMyAdmin) or restrict access to them.
  • Prevent default credentials at provisioning: require unique credentials per device and enforce first-boot password reset.
  • Adopt centralized credential management and periodic rotation (secrets vaults, password managers, short-lived credentials where possible).
  • Enable logging and monitoring for all administrative actions and integrate with SIEM for rapid alerting.

Incident response guidance

  • If you suspect compromise, isolate the affected device(s) from the network to prevent lateral movement.
  • Collect forensic artifacts: webserver logs, system logs, running processes, configuration files, and recent file modifications.
  • Look for persistence mechanisms (scheduled tasks, added users, modified init scripts) and web shells in webroots.
  • Restore from a known-good backup after root cause identification and remediation; do not reuse backups that contain the same hard-coded credentials.
  • Coordinate disclosure and remediation with ABB support and follow vendor advisories for firmware updates and configuration guidance.

Long-term recommendations for vendors and integrators

  • Remove all hard-coded credentials from shipping images and require unique credentials for each installation.
  • Implement secure provisioning workflows that force administrators to set a unique password during first-boot.
  • Adopt secure defaults: disable management interfaces by default, enforce strong password policies, and minimize installed components (principle of least functionality).
  • Provide transparent update channels and timely security advisories to customers.

References

SourceLink
Zeroscience Advisory (disclosure) ZSL-2024-5830
MITRE CVE CVE-2024-4007
Vendor (ABB) ABB official site — check product security advisories for firmware updates

Final notes

Hard-coded credentials in operational technology and building management systems represent high-impact risks. Rapidly identifying exposed devices, applying mitigations, and coordinating firmware updates are critical to prevent unauthorized access and potential physical-world consequences. If you operate ASPECT-based systems, treat this as a priority remediation item.