ELSB/BLBA ASPECT advisory several CVEs
Act Now9.19akk108471a0021May 22, 2025
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
ABB ASPECT Building Management System contains multiple critical vulnerabilities (CWE-269, CWE-94, CWE-89, CWE-863, and others) allowing privilege escalation, arbitrary code execution, unsafe file uploads, and SQL injection. These vulnerabilities affect ASPECT-Enterprise, NEXUS, and MATRIX product lines at versions 3.08.03 and earlier. ABB has patched most vulnerabilities in version 3.08.04 but will not provide fixes for remaining vulnerabilities in ASPECT-Enterprise ASP-ENT-x systems, which are being phased out in favor of a new cloud-based solution. The vulnerabilities were first discovered in June 2023.
What this means
What could happen
An authenticated attacker with elevated privileges could execute arbitrary code, modify system configurations, or disable the building management system, disrupting HVAC, lighting, access control, and critical facility operations.
Who's at risk
Building operators and facility managers running ABB ASPECT, NEXUS, or MATRIX building management systems should care. This affects automated control of HVAC systems, lighting, access control, energy management, and other critical building automation functions at water utilities, municipal facilities, hospitals, and commercial buildings. The system can monitor and control equipment across your entire facility.
How it could be exploited
An attacker with administrative or engineering credentials on the network could exploit multiple code execution and privilege escalation vulnerabilities to run malicious commands on the ASPECT system. The vulnerabilities include improper privilege management, unsafe code execution, and file upload issues that allow bypassing security controls.
Prerequisites
- <parameter name="prerequisites"> <parameter name="prerequisites> <parameter name="prerequisites>Valid engineering or administrative credentials for ASPECT system
remotely exploitable (when remote access option enabled)authentication required but with privileged accountmultiple code execution pathwaysno patch available for ASP-ENT-x product lineaffects facility management and safety systems
Exploitability
Moderate exploit probability (EPSS 1.7%)
Affected products (4)
3 with fix1 pending
ProductAffected VersionsFix Status
ASPECT®-Enterprise ASP-ENT-x≤ 3.08.03No fix yet
NEXUS Series NEX-2x≤ 3.08.033.08.04
NEXUS Series NEXUS-3-x≤ 3.08.033.08.04
MATRIX Series MAT-x≤ 3.08.033.08.04
Remediation & Mitigation
0/7
Do now
0/2WORKAROUNDFor ASPECT-Enterprise ASP-ENT-x systems with no patch available, restrict network access to the BMS to authorized engineering workstations only using firewall rules; disable remote access if not required
HARDENINGAudit and enforce strong, unique passwords for all ASPECT system administrative and engineering accounts
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
NEXUS Series NEX-2x
HOTFIXUpgrade NEXUS Series NEX-2x systems to version 3.08.04 or later
NEXUS Series NEXUS-3-x
HOTFIXUpgrade NEXUS Series NEXUS-3-x systems to version 3.08.04 or later
MATRIX Series MAT-x
HOTFIXUpgrade MATRIX Series MAT-x systems to version 3.08.04 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate ASPECT BMS traffic from general IT network and critical control systems
HARDENINGEvaluate migration path to ABB's replacement BMS solution based on current industry cyber security standards for long-term risk reduction
CVEs (31)
CVE-2024-48853CVE-2024-48850CVE-2024-9639CVE-2025-2410CVE-2025-2409CVE-2025-30170CVE-2025-30171CVE-2025-30172CVE-2025-30173CVE-2025-30169CVE-2024-13928CVE-2024-13929CVE-2024-13930CVE-2024-13931CVE-2024-13945CVE-2024-13946CVE-2024-13947CVE-2024-13948CVE-2024-48848CVE-2024-13949CVE-2024-13950CVE-2024-13951CVE-2024-51553CVE-2024-13952CVE-2024-13953CVE-2024-13954CVE-2024-13955CVE-2024-13956CVE-2024-13957CVE-2024-13958CVE-2024-51552
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6213e9a3-70b1-41e1-83dd-10f8e2044ec6