ABB Cylon Aspect BMS/BAS

Plan PatchCVSS 9.8ICS-CERT ICSA-25-252-02Aug 11, 2025

ABB

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB Cylon Aspect BMS/BAS platforms (ASPECT-Enterprise ASP-ENT-x, NEXUS Series NEX-2x and NEXUS-3-x, MATRIX Series MAT-x) contain critical authentication bypass and buffer overflow vulnerabilities (CWE-288, CWE-120, CWE-306) affecting versions prior to 3.08.04-s01. Successful exploitation allows an attacker to assume control of the device or perform denial-of-service attacks. These vulnerabilities are exploitable only if the device is accessible on the network (either directly exposed to the Internet or compromised internal segment). ABB has released firmware version 3.08.04-s01 or later as a fix for most affected products.

What this means

What could happen

An attacker with network access to an ASPECT BMS/BAS device could gain complete control of the system or crash it, potentially disrupting building automation, HVAC, lighting, or security systems that your facility depends on.

Who's at risk

Water authorities, utilities, and facility managers deploying ABB Cylon Aspect building management systems (BMS) or building automation systems (BAS) for HVAC, lighting, and environmental control should evaluate their ASPECT deployments. This affects ASP-ENT-x (ASPECT-Enterprise), NEX-2x (NEXUS Series), MAT-x (MATRIX Series), and NEXUS-3-x platforms.

How it could be exploited

An attacker on the network segment where ASPECT is installed could exploit authentication or buffer overflow flaws (CWE-288, CWE-120) to bypass security controls and execute arbitrary commands on the BMS/BAS controller, compromising automation logic and operations.

Prerequisites

Network access to the ASPECT device (direct Internet exposure or accessible from compromised internal network)
ASPECT device running firmware version prior to 3.08.04-s01
Default or weak credentials may increase exploitability if not changed during commissioning

Remotely exploitableNo authentication requiredLow attack complexityCritical CVSS score (9.8)Affects building automation and control systemsDefault credentials may be present

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (8)

6 with fix2 EOL

ProductAffected VersionsFix Status

ABB ASPECT-Enterprise ASP-ENT-x: <3.08.04-s01<3.08.04-s013.08.04-s01

ABB NEXUS Series NEX-2x: <3.08.04-s01<3.08.04-s013.08.04-s01

ABB MATRIX Series MAT-x: <3.08.04-s01<3.08.04-s013.08.04-s01

NEX-2x<3.08.04-s013.08.04-s01

MAT-x<3.08.04-s013.08.04-s01

ASP-ENT-x version<3.08.04-s01<3.08.04-s01No fix (EOL)

NEXUS-3-x version<3.08.04-s01<3.08.04-s01No fix (EOL)

ABB NEXUS Series NEXUS-3-x: <3.08.04-s01<3.08.04-s013.08.04-s01

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDRestrict network access to ASPECT devices by deploying them behind a firewall; do not expose ASPECT directly to the Internet or via NAT port forwarding

HARDENINGIf remote access to ASPECT is required, configure access only through a VPN gateway to the network segment where ASPECT is installed, ensuring the VPN gateway and network are hardened to industry standards and kept current with security patches

HARDENINGChange all default credentials on all ASPECT devices during commissioning; if not already done, change all changeable credentials immediately

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

NEX-2x

HOTFIXUpdate ABB ASPECT-Enterprise ASP-ENT-x, NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) devices to firmware version 3.08.04-s01 or later

CVEs (3)

CVE-2025-53187 CVE-2025-7677 CVE-2025-7679

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4fcc279c-d3d2-4188-8393-b60234c4783a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.