ABB Cylon Aspect BMS/BAS

Act Now9.8ICS-CERT ICSA-25-252-02Sep 9, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB ASPECT building management systems contain multiple vulnerabilities in authentication, memory handling, and access controls (CWE-288, CWE-120, CWE-306) that allow unauthenticated remote attackers to execute code or cause denial of service. The vulnerabilities are exploitable only if an attacker can reach the network segment where ASPECT is installed; direct Internet exposure significantly increases risk. CVE-2025-53187 has a vendor fix available; the other vulnerabilities mentioned in the scope lack patch information from ABB.

What this means

What could happen

An attacker who gains network access to an ABB ASPECT building management system could take remote control of the device or shut down operations, affecting HVAC, lighting, access control, and other building systems that depend on it.

Who's at risk

Facility managers and IT staff running ABB ASPECT building management systems (Enterprise, NEXUS Series 2, NEXUS Series 3, and MATRIX Series platforms) used to control HVAC, lighting, power, and access systems in commercial buildings, data centers, and industrial facilities.

How it could be exploited

An attacker on the same network segment as an ASPECT device, or reaching it over the Internet if exposed (directly or via port forwarding), can send unauthenticated requests to exploit memory safety and authentication flaws (CWE-120, CWE-288, CWE-306) to execute code or deny service on the device.

Prerequisites

Network access to the ASPECT device (same segment or Internet if exposed directly or via NAT port forwarding)
No authentication required
No special configuration required

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.8)Affects building infrastructure and operationsDefault credentials typically present

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

ABB ASPECT-Enterprise ASP-ENT-x: <3.08.04-s01<3.08.04-s013.08.04-s01

ABB NEXUS Series NEX-2x: <3.08.04-s01<3.08.04-s013.08.04-s01

ABB MATRIX Series MAT-x: <3.08.04-s01<3.08.04-s013.08.04-s01

ABB NEXUS Series NEXUS-3-x: <3.08.04-s01<3.08.04-s013.08.04-s01

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGDo not expose ASPECT devices directly to the Internet. Do not use NAT port forwarding to make ASPECT reachable from outside your facility.

HARDENINGIf remote access to ASPECT is required, route all connections through a VPN gateway that requires user authentication and is current on security patches.

HARDENINGChange all default credentials on every ASPECT device during commissioning or immediately if not yet done.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CVE-2025-53187 affected products to version 3.08.04-s01 or later when a maintenance window is available.

CVEs (3)

CVE-2025-53187 CVE-2025-7677 CVE-2025-7679

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4fcc279c-d3d2-4188-8393-b60234c4783a