The ABB Cylon Aspect 3.08.04 DeploySource vulnerability is a critical remote code execution (RCE) flaw affecting ABB's building management system (BMS) and building automation system (BAS) products, including the NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, and ASPECT-Studio firmware versions up to 3.08.04. The vulnerability resides in the AuthenticatedHttpServlet component of the application server, which improperly validates the Host HTTP header. By setting the Host header to 127.0.0.1, an attacker can bypass authentication mechanisms, causing the server to treat the request as originating from localhost. This unauthorized access allows attackers to reach privileged servlets such as the DeploymentServlet, which suffers from a directory traversal vulnerability. Exploiting this, attackers can write arbitrary PHP files outside the intended directory scope, effectively uploading a malicious web shell. Once deployed, this shell enables execution of system commands with the privileges of the web server user, typically 'apache', potentially leading to full system compromise. The exploit has been tested on multiple Linux kernel versions (2.6.32 to 3.15.10) and hardware architectures (x86_64 and ARMv7l), with various PHP versions from 4.4.8 to 7.3.11, and web servers including lighttpd and Apache 2.2.15 on CentOS. The vulnerability leverages a combination of authentication bypass and directory traversal to achieve remote code execution without requiring valid credentials or user interaction. The exploit code demonstrates how to upload a PHP shell via crafted HTTP requests with the Host header set to 127.0.0.1 and then execute arbitrary commands remotely. This vulnerability was discovered by Gjoko 'LiquidWorm' Krstic and publicly disclosed in April 2024 with advisory ZSL-2025-5954. No official patches or vendor mitigations are currently linked, and no known exploits in the wild have been reported yet. However, the critical nature of the flaw and the ease of exploitation make it a significant threat to organizations using affected ABB Cylon Aspect products.

For European organizations, the impact of this vulnerability is substantial, especially for those relying on ABB Cylon Aspect BMS/BAS solutions to manage critical building infrastructure such as energy management, HVAC, and security systems. Successful exploitation can lead to full system compromise, allowing attackers to execute arbitrary commands, manipulate building controls, disrupt operations, or pivot to other internal networks. This could result in operational downtime, safety hazards, data breaches, and regulatory non-compliance, particularly under GDPR and critical infrastructure protection frameworks. Given ABB's significant market presence in Europe, including in sectors like manufacturing, commercial real estate, and public infrastructure, the risk of disruption and potential physical consequences is high. The vulnerability's ability to bypass authentication and execute code remotely without user interaction increases the likelihood of targeted attacks or automated exploitation attempts once exploit code becomes widely available.

1. Immediate network segmentation: Isolate ABB Cylon Aspect devices from general enterprise networks and restrict access to management interfaces to trusted internal IPs only. 2. Implement strict ingress filtering and firewall rules to block external access to the vulnerable HTTP servlets, especially blocking requests with suspicious Host headers. 3. Monitor HTTP traffic for anomalous Host header values, particularly '127.0.0.1', and deploy intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect exploitation attempts. 4. Disable or restrict the DeploymentServlet functionality if possible, or apply application-level access controls to prevent unauthorized use. 5. Conduct thorough audits of deployed ABB Cylon Aspect systems to identify affected firmware versions and isolate or upgrade devices. 6. Engage with ABB support channels to obtain patches or official mitigations as they become available. 7. Employ application whitelisting and endpoint protection on servers hosting the BMS/BAS to detect and block unauthorized PHP shells or suspicious file writes. 8. Regularly back up configuration and system states to enable rapid recovery in case of compromise. 9. Educate operational technology (OT) and IT security teams about this vulnerability to ensure rapid detection and response. 10. Consider deploying web application firewalls (WAF) with custom rules to block directory traversal and unauthorized deployment requests.