ABB Cylon FLXeon 9.3.4 - Default Credentials
ABB Cylon FLXeon 9.3.4 Default Credentials
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
CBX Series (FLX Series)
CBT Series
CBV Series
ABB UC32 Series Main Plant Controllers (Cylon's UnitronUC32.xx)
Firmware: <=9.3.4
Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.
The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.
Desc: The ABB Cylon FLXeon BACnet controller uses a weak set of default administrative
credentials that can be guessed in remote password attacks and gain full control of
the system.
Tested on: Linux Kernel 5.4.27
Linux Kernel 4.15.13
NodeJS/8.4.0
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5919
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5919.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ cat cyloncreds.txt
admin:cylonctl
cxpro:siteguide
UC32Net:CylonCtlABB Cylon FLXeon 9.3.4 — Default Credentials Vulnerability
Executive summary
The ABB Cylon FLXeon family of BACnet building automation controllers (including FBXi, FBTi, FBVi, CBX, CBT, CBV and UC32 series running firmware up to and including 9.3.4) ships with weak factory-default administrative credentials. These default accounts can allow an attacker who can reach the device’s management interfaces to gain full control of the controller and the systems it manages (HVAC, pumps, chillers, lighting, and other building automation assets).
Why this matters
Building automation controllers are high-impact OT/IoT devices. Compromise can result in unauthorized operational control, safety or comfort disruptions, and pivot opportunities into enterprise or OT networks. Default credentials are a common and trivial attack vector — if left unchanged and if network controls are insufficient, they materially increase risk.
Summary of affected products and firmware
| Vendor | Product family / models | Firmware |
|---|---|---|
| ABB Ltd. (Cylon) | FLXeon Series (FBXi, FBTi, FBVi), CBX/FLX, CBT, CBV, UC32 Main Plant Controllers | Firmware versions <= 9.3.4 |
Vulnerability description
Some FLXeon/Unitron UC32 controllers are shipped with well-known factory-default administrative accounts and passwords. If those credentials remain unchanged, an unauthenticated or minimally authenticated remote actor with network access to the device’s management interfaces (web UI, BACnet/IP management port, or other exposed services) could authenticate and perform administrative actions. The issue arises from weak or predictable default credentials combined with insufficiently restricted network access to management interfaces.
Potential impact
- Unauthorized reconfiguration of HVAC and other building systems.
- Operational disruption (setpoint manipulation, scheduling changes, equipment shutdown/startup).
- Exposure of sensitive facility topology and metadata.
- Lateral movement opportunities into adjacent OT/IT infrastructure.
- Possible safety and compliance consequences depending on installed systems.
Indicators of compromise and detection guidance
- Unexpected configuration changes, disabled alarms, or altered schedules on controllers.
- Unusual administrative logins from unknown IP addresses or at abnormal hours.
- New or unrecognized accounts on the device.
- Network scans revealing management ports (web, BACnet/IP port 47808, SSH, Telnet) accessible from untrusted networks.
Detection actions for defenders:
- Audit device accounts and verify that no devices retain factory-default credentials.
- Review controller event and change logs for unexpected administrative actions.
- Use network segmentation and access control lists (ACLs) to restrict management interfaces to trusted subnets and jump hosts.
- Inventory devices and correlate firmware versions to identify controllers running vulnerable firmware (<= 9.3.4).
Mitigation and remediation
Immediate steps (prioritize across all impacted sites):
- Change default passwords on every affected controller. Use a unique, strong password per device and store securely in a secrets manager or vault.
- Apply vendor-supplied firmware updates or patches — check ABB/Cylon release notes for versions that remediate the issue.
- Restrict network access to management interfaces: ensure controllers are on dedicated management VLANs, apply firewall rules, and block direct Internet access.
- Disable or limit services you do not need (SSH, Telnet, HTTP) and prefer encrypted management channels.
- Implement multi-factor authentication (MFA) for management console access where supported by the management platform.
- Harden logging and alerting so that administrative changes trigger notifications and are retained for forensic analysis.
Best practices for prevention
- Deploy an authoritative inventory of BAS (Building Automation System) hardware and firmware versions and monitor for drift.
- Adopt a secure provisioning process that mandates credential rotation and unique credentials on commissioning.
- Use network segmentation between IT, OT, and BAS zones with restrictive east-west rules.
- Use role-based access control (RBAC) and least privilege for operator and integrator accounts.
- Regularly test backups and recovery procedures for controllers and BAS configuration data.
- Engage a vulnerability management program that includes OT devices and tracks vendor advisories.
Safe automation example: generate and store strong credentials
#!/usr/bin/env python3
# Example: generate a cryptographically strong password and print for operator use
import secrets
import string
def gen_password(length=24):
alphabet = string.ascii_letters + string.digits + "!@#$%&*()-_=+"
return ''.join(secrets.choice(alphabet) for _ in range(length))
if __name__ == "__main__":
print("Generated password:", gen_password(24))This small Python script uses the standard library's cryptographically secure random generator (secrets) to produce a strong password. Operators can adapt it to integrate with a secrets manager (HashiCorp Vault, AWS Secrets Manager, etc.) so passwords are never kept in plaintext files or emailed. The code is defensive — it creates credentials, it does not interact with target devices or attempt authentication.
Detection automation (defender-oriented)
Rather than attempt to authenticate using default credentials from remote scanning tools, use passive or authorized active inventory techniques to locate devices and validate configuration non-destructively. For example:
- Authorized network discovery from an operations network segment to map BACnet/IP endpoints and collect device object descriptors.
- Centralized configuration checks via the vendor’s management system or an authorized API.
Responsible disclosure and timeline
The issue was publicly documented by security researcher Gjoko “LiquidWorm” Krstic and published with advisory ZSL-2025-5919. Operators should consult ABB’s official support channels for firmware updates, mitigations, and authoritative remediation guidance. If you find devices in your estate that still use manufacturer defaults, treat them as high-priority for remediation.
References and further reading
- Zer0Science Advisory: ZSL-2025-5919 — details and timeline of disclosure
- ABB product pages and support portal — firmware notices and changelogs
- Industry best practices for OT and BAS security (NIST SP 800-82, IEC 62443)
Practical next steps checklist for operators
- Identify all ABB Cylon/Unitron controllers in your environment and record firmware versions.
- Rotate credentials immediately for all management accounts on controllers and management servers.
- Apply vendor firmware updates where available and tested in a lab before field deployment.
- Enforce network segmentation and access controls to management ports.
- Harden logging, alerting, and regular audits of device configurations.
Addressing default credentials is one of the highest-impact, lowest-effort steps an organization can take to reduce risk to building automation systems. Combine credential hygiene with firmware management, network controls, and monitoring to build robust protection for ABB Cylon controllers and similar OT assets.