Hardcoded credentials in ASPECT Energy Management System

Act Now9.89akk108470a6775Feb 5, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ASPECT Energy Management System contains hardcoded credentials (CWE-798) that allow unauthorized access to affected product versions. An attacker with network access to a misconfigured ASPECT device could gain administrative access and compromise system confidentiality, integrity, and availability, including log files. ABB states these products are not intended to be internet-facing and require proper network isolation.

What this means

What could happen

An attacker with network access to a misconfigured ASPECT Energy Management System could gain unauthorized administrative access and compromise energy management operations, including the ability to alter system settings, disable monitoring, or manipulate operational logs.

Who's at risk

Energy utilities and industrial facilities operating ABB ASPECT Energy Management Systems (ASP-ENT-x, NEX-2x, NEXUS-3-x, MAT-x) version 3.08.03 or earlier. This primarily affects organizations in the energy sector that use ASPECT for power distribution monitoring and management.

How it could be exploited

An attacker on the network containing an exposed ASPECT device can use the hardcoded credentials to authenticate directly to the management interface. This grants administrative access without requiring valid user credentials, allowing the attacker to modify system configuration, disable alerts, or manipulate historical data.

Prerequisites

Network access to the ASPECT device (attacker must be on the same network segment or have route to device)
ASPECT device must be exposed to a network the attacker can reach (misconfigured network segmentation or internet exposure)
Knowledge of the hardcoded credential values

remotely exploitableno authentication requiredlow complexityno patch availablehardcoded credentials

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

ASP-ENT-x <= 3.08.03≤ 3.08.03No fix (EOL)

NEX-2x <=3.08.03≤ 3.08.03No fix (EOL)

NEXUS-3-x <=3.08.03≤ 3.08.02No fix (EOL)

MAT-x <=3.08.03≤ 3.08.03No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImmediately implement network segmentation to isolate ASPECT devices from untrusted networks; ASPECT systems must not be reachable from the internet or any insecure network

HARDENINGImplement firewall rules to restrict network access to ASPECT devices to only authorized workstations and engineering networks

WORKAROUNDIf possible, disable or change the hardcoded credentials through ASPECT management interface configuration

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor ASPECT device logs for unauthorized access attempts or administrative actions

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ASP-ENT-x <= 3.08.03, NEX-2x <=3.08.03, NEXUS-3-x <=3.08.03, MAT-x <=3.08.03. Apply the following compensating controls:

HARDENINGFollow ABB's documented security guidance in FBXi, CBXi, and ASPECT SOLUTIONS documentation for proper system deployment and network configuration

CVEs (1)

CVE-2024-51547

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7c3fcc98-00b7-4530-aefd-91d8ffae832c