ABB Cylon Aspect 3.08.02 (deployStart.php) - Unauthenticated Command Execution

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: Language: PHP Published Date: 2025-04-17

# Exploit Title: ABB Cylon Aspect 3.08.02 (deployStart.php) Unauthenticated Command Execution
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated
shell command execution vulnerability through the deployStart.php script.
This allows any user to trigger the execution of 'rundeploy.sh' script, which
initializes the Java deployment server that sets various configurations,
potentially causing unauthorized server initialization and performance issues.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5891
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5891.php
CVE ID: CVE-2024-48840
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48840


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl http://192.168.73.31/deployStart.php

ABB Cylon Aspect 3.08.02 — deployStart.php Unauthenticated Command Execution (CVE-2024-48840)

This article provides a technical, defensive-oriented analysis of a critical vulnerability affecting ABB Cylon Aspect building management systems (BMS/BAS). It explains the root cause at a high level, the potential impact on affected environments, detection techniques, and practical mitigation and hardening guidance for administrators and security teams.

Summary

In versions up to 3.08.02 of ABB Cylon Aspect (NEXUS, MATRIX-2, ASPECT-Enterprise, ASPECT-Studio), an unauthenticated web endpoint (deployStart.php) allowed remote triggering of a server-side deployment routine. The flaw is tracked as CVE-2024-48840 and was publicly disclosed by ZeroScience. Because the vulnerable endpoint can be invoked without authentication, an attacker with network access to the device could cause unauthorized server initialization tasks to run, potentially impacting confidentiality, integrity, and availability of BMS infrastructure.

Key facts

Vulnerability: Unauthenticated command/initiation via deployStart.php
CVE: CVE-2024-48840
Affected firmware/software: ABB Cylon Aspect versions ≤ 3.08.02 (NEXUS, MATRIX-2, ASPECT-Enterprise, ASPECT-Studio)
Vendor advisory / reference: ZeroScience advisory: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5891.php

Why this is dangerous

Unauthenticated access: No valid credentials needed to reach the vulnerable logic.
Server-side execution: The endpoint triggers a deployment script on the device. Even if the script is benign, repeated or manipulated triggers can cause resource consumption, misconfiguration, or pathway to further compromise.
Operational impact: BMS controllers manage HVAC, lighting and other building systems; disruption can have safety and business continuity implications.

Technical overview (non-actionable)

The vulnerability is caused by an unauthenticated web-accessible PHP endpoint that invokes a local deployment helper/script. The issue is not primarily a code injection vector (as publicly disclosed), but rather an authorization bypass that permits remote actors to cause the device to execute its internal deployment routine. That routine typically initializes or reconfigures management services and may spawn Java processes used by the device's deployment server.

Impact and examples of misuse

Unauthorized initialization or re-initialization of services, leading to unexpected behavior or downtime.
Resource exhaustion: repeated triggers may spawn multiple processes, consuming CPU, memory, or I/O and degrading device performance.
Pivoting: an attacker able to influence local service state may find secondary weaknesses to escalate access within the target network.

Detection and indicators of compromise (IoCs)

Detection should focus on web logs, process/activity monitoring, and network telemetry. Below are defensive-oriented indicators to look for:

HTTP(S) requests to endpoints named deployStart.php (check web server access logs and reverse proxies).
Repeated/unscheduled POST or GET requests to management web endpoints coming from unexpected IPs or subnets.
New or unexpected child processes such as repeated Java runtime launches, or invocations of local deployment scripts shortly after web requests.
Sudden spikes in CPU or memory on controllers coinciding with web traffic to management endpoints.
Changes to configuration files or timestamps associated with deployment artifacts.

Practical defensive detection examples

Below is a safe example of a Suricata/IDS rule to alert on requests to the vulnerable endpoint. This rule is intended for internal monitoring and incident response — do not use it to target systems you do not own or manage.

# Suricata/IDS example: alert when HTTP request targets deployStart.php
alert http any any -> any 80 (msg:"ASPECT deployStart.php access - possible unauthenticated deployment request"; \
    uricontent:"/deployStart.php"; nocase; classtype:web-application-activity; sid:1000001; rev:1;)

Explanation: The rule triggers on an HTTP request containing the URI fragment /deployStart.php. It helps defenders surface suspicious web interactions with the management interface. Tune source/destination IP/context to reduce false positives.

Recommended immediate mitigations

Apply vendor patches: first and foremost, check ABB support channels for an official firmware or software update that addresses CVE-2024-48840 and apply it promptly.
Network segmentation: restrict access to BMS management interfaces to a dedicated management VLAN and whitelist only trusted operator IPs.
Firewall and ACLs: block inbound HTTP(S) access to management ports from untrusted networks (including Internet-facing access). Use network-level filtering to allow only known management hosts.
Web application firewall (WAF): deploy WAF rules to block or monitor requests to sensitive endpoints such as deployStart.php until a patch is applied.
Service hardening: where possible, disable unneeded web endpoints or remove/rename development/testing endpoints used in production.
Credential controls and MFA: ensure all management interfaces that require authentication enforce strong credentials and multi-factor authentication if supported.

Longer-term remediation and hardening

Inventory and asset management: maintain an up-to-date inventory of all BMS devices, firmware versions, and exposed management endpoints.
Change management: enforce strict change control and scheduled maintenance windows for BMS updates to reduce unexpected service interruption risk.
Logging and monitoring: centralize logs (web server, syslog, application) and set alerts for management endpoint access and unexpected process launches.
Endpoint protection: where possible, enable host-based monitoring to audit process creation, particularly Java or deployment script executions.
Vendor coordination: maintain support contracts and subscribe to vendor security advisories so patches are received and validated promptly.

Incident response checklist (if you suspect exploitation)

Isolate affected device from network segments that contain critical systems while preserving evidence.
Collect relevant logs: web server access/error logs, system logs, process lists, and network captures around suspected event times.
Identify and terminate unauthorized processes if safe to do so; document process memory and metadata if possible to support forensic analysis.
Restore from known-good backups if configuration corruption is detected, and re-image devices when compromise is confirmed.
Coordinate disclosure and remediation with vendor support; follow responsible disclosure timelines if further vulnerabilities are discovered.

Sample safe check for defenders (non-invasive)

Administrators can periodically verify whether management endpoints are reachable from permitted management hosts by performing a simple HTTP HEAD query and verifying expected status codes. The following is a conceptual, non-actionable example (for your own managed devices):

# Conceptual example (defensive): check HTTP HEAD response for management host
# Run from an authorized management station in your network
curl -I --max-time 5 https://management-host.example.local/deployStart.php

Explanation: This command issues a lightweight HEAD request to confirm the endpoint exists and the server returns a response. Use it only against devices you own or administer. Monitor response codes and timestamps to detect changes indicating unusual activity.

References and further reading

Item	Link / note
ZeroScience advisory	https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5891.php
CVE record	https://www.cve.org/CVERecord?id=CVE-2024-48840
Vendor (ABB)	Check ABB security/advisory pages and support portal for patches

Closing guidance

Vulnerabilities in building management systems pose both cyber and operational risks. Prioritize patching and network-based containment for affected ABB Cylon Aspect devices, enforce strict access controls for management interfaces, and enhance monitoring to detect misuse. Coordinated vendor remediation and careful incident response will reduce exposure and protect occupants and infrastructure from avoidable disruptions.