ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS
# Exploit title: ABB Cylon Aspect 4.00.00 (factorySaved.php) Unauthenticated XSS
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=4.00.00
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated
reflected cross-site scripting vulnerability in the 'title' GET parameter.
Input is not properly sanitized before being returned to the user, allowing
the execution of arbitrary HTML/JS code in a user's browser session in the
context of the affected site. While the factory test scripts included in the
upgrade bundle are typically deleted, a short window for exploitation exists
when the device is in the manufacturing phase.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5893
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5893.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ http://192.168.73.31/factorySaved.php?title=<script>console.log('ZSL')</script>Overview: ABB Cylon Aspect factorySaved.php Unauthenticated Reflected XSS
The ABB Cylon Aspect family (NEXUS, MATRIX-2, ASPECT-Enterprise, ASPECT-Studio) up to firmware 4.00.00 contains a reflected cross-site scripting (XSS) vulnerability in a factory/test endpoint (factorySaved.php) where the title GET parameter is returned to the client without proper output encoding. Because the endpoint is sometimes present in manufacturing or pre-production bundles, the window for exploitation is small but real: an unauthenticated attacker can craft a URL that injects HTML/JavaScript into a victim’s browser in the context of the affected device’s web interface.
Why this matters
- Unauthenticated access — no credentials required to trigger the reflected response.
- Client-side compromise — successful exploitation runs arbitrary JavaScript in the administrator/operator’s browser session, enabling session theft, credential capture (via UI spoofing), CSRF or malicious configuration changes (depending on functionality exposed to the logged-in user).
- Deployment risk — while factory scripts are intended for manufacturing, devices that retain them in production create an attack surface often overlooked during hardening.
Technical root cause
The vulnerability is typical reflected XSS: the application takes untrusted input from an HTTP parameter and reflects it into an HTML response without appropriate output encoding or context-aware sanitization. In PHP-based pages this often appears as echoing a parameter into HTML content or attributes directly.
Typical vulnerable pattern (illustrative)
<?php
// Vulnerable: untrusted input echoed directly into HTML
echo "<h1>" . $_GET['title'] . "</h1>";
?>
Explanation: This example shows a common mistake — concatenating raw input into the document. When the value contains HTML/JS, the browser will interpret and execute it.
How to fix it — secure coding and hardening
- Apply contextual output encoding (escape for HTML, attribute, JavaScript contexts).
- Use strict input validation (whitelists) where appropriate.
- Remove or disable factory/test scripts from production firmware/images.
- Deploy defensive HTTP headers and secure cookie attributes.
- Patch devices to vendor-supplied firmware updates when available.
Safe output encoding (PHP example)
<?php
// Secure: encode output for HTML context
$title = isset($_GET['title']) ? $_GET['title'] : '';
echo '<h1>' . htmlspecialchars($title, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . '</h1>';
?>
Explanation: htmlspecialchars encodes characters such as <, >, ', and " so they render as literal text rather than being interpreted as HTML/JS. ENT_SUBSTITUTE helps avoid issues with invalid UTF-8. This is the simplest and most appropriate fix when reflecting user-supplied text into an HTML node.
Whitelist validation example (recommended for predictable fields)
<?php
// If title should only contain letters, numbers, spaces, hyphens and underscores
$title = filter_input(INPUT_GET, 'title', FILTER_UNSAFE_RAW) ?? '';
if (!preg_match('/^[A-Za-z0-9 _-]{0,100}$/', $title)) {
// reject or normalize invalid input
$title = 'Invalid title';
}
echo '<h1>' . htmlspecialchars($title, ENT_QUOTES, 'UTF-8') . '</h1>';
?>
Explanation: A whitelist (allow-list) restricts acceptable characters and length. Rejecting or normalizing unexpected input reduces the need to rely solely on encoding and prevents unexpected content types from reaching the UI.
Context-aware escaping
Different places in HTML require different escaping. Use:
- HTML element body: htmlspecialchars(..., ENT_QUOTES, 'UTF-8')
- HTML attribute: similar encoding but ensure quotes are encoded; or use attribute-safe helper libraries.
- JavaScript context: use JSON encoding (e.g., json_encode in PHP) or specialized JS escaping libraries.
Additional mitigations
| Mitigation | How it helps |
|---|---|
| Remove factory/test endpoints | Eliminates the vulnerable code path in production images. |
| Content-Security-Policy (CSP) | Restricts where scripts can come from and can block inline scripts if applied correctly (defense-in-depth). |
| Secure headers and cookies | HttpOnly/Secure/SameSite cookies and headers limit cookie exposure and clickjacking. |
| WAF signatures and input filtering | Detects and blocks suspicious requests that contain script patterns targeted at known endpoints. |
| Firmware updates/patch management | Apply vendor fixes and remove legacy files from images. |
Example CSP header
// Example PHP header setting a conservative CSP
header("Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';");
Explanation: This CSP restricts executable script sources to the same origin and disallows plugin objects. If the UI requires inline scripts, use nonces or hashes to allow only known-good inline scripts rather than enabling unsafe-inline.
Cookie hardening (PHP example)
// Set session cookie with strong attributes
session_set_cookie_params([
'lifetime' => 0,
'path' => '/',
'domain' => '', // set to specific domain if applicable
'secure' => true, // TLS required
'httponly' => true, // not accessible to JS
'samesite' => 'Strict' // or 'Lax' depending on needs
]);
session_start();
Explanation: These attributes reduce the risk that session cookies are exposed to JavaScript (HttpOnly), are leaked over non-encrypted connections (Secure), or are sent cross-site (SameSite).
Detection and remediation guidance for defenders
- Scan devices on your network for the existence of test endpoints like factorySaved.php and remove or block them.
- Implement network-level access controls so management interfaces are reachable only from trusted management subnets or VPNs.
- Use application security scanners (authenticated and unauthenticated) to identify reflected XSS and other input validation issues.
- If immediate patching is not possible: block access to the vulnerable endpoint via firewall/WAF rules and add prevention signatures that sanitize or drop requests containing suspicious script markers in parameters.
- Audit firmware images and deployment pipelines to ensure manufacturing/test files are not packaged into production devices.
Responsible disclosure and vendor actions
Vulnerabilities in embedded device web UIs are best resolved by the vendor issuing a firmware update that removes or repairs the vulnerable code paths and by publishing guidance for administrators to apply the update. Administrators should follow vendor advisories (for example the referenced advisory ID ZSL-2025-5893) and apply available firmware patches as soon as they are validated.
Summary
Reflected XSS in factory/test pages such as factorySaved.php is a serious but straightforward vulnerability to mitigate: remove unnecessary endpoints in production, apply contextual output encoding and input validation, deploy relevant HTTP security headers, and ensure timely firmware updates. Combining secure coding practices with network-level hardening and patch management dramatically reduces the risk to operators and devices.