PatchSiren cyber security CVE debrief
CVE-2024-11316 ABB CVE debrief
A file size validation vulnerability in ABB ASPECT building automation systems allows network-based attackers to bypass size limits or cause device overload, resulting in denial of service. The flaw affects ASPECT firmware versions 3.08.02 and earlier across multiple product lines including ASPECT-Enterprise, NEXUS Series, and MATRIX Series controllers. CISA published advisory ICSA-25-007-01 on July 3, 2024, with subsequent updates tracking patch availability through December 2024. The vulnerability carries a CVSS 3.1 score of 7.5 (HIGH) with a network attack vector requiring no authentication or user interaction. ABB released firmware version 3.08.03 to address this issue. Organizations should upgrade affected devices and implement network segmentation for building automation systems per CISA ICS recommended practices.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation systems including facility managers, critical infrastructure operators, smart building administrators, and industrial control system security teams responsible for HVAC, energy management, and integrated building systems.
Technical summary
The vulnerability exists in the file size checking mechanism of ABB ASPECT building automation systems. Insufficient validation allows malicious users to bypass implemented size limits or submit files that cause device overload. The attack is remotely exploitable without authentication, affecting availability of the ASPECT device. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates network accessibility, low attack complexity, no privileges required, no user interaction, and high impact to availability. Exploitation does not affect confidentiality or integrity. ABB resolved the vulnerability in firmware version 3.08.03 released November 2024.
Defensive priority
high
Recommended defensive actions
- Upgrade ASPECT firmware to version 3.08.03 or later on all affected product lines (ASPECT-Enterprise, NEXUS Series, MATRIX Series)
- Verify file upload size validation controls are enforced after patching
- Segment building automation networks from enterprise IT and internet access per CISA ICS recommended practices
- Monitor ASPECT devices for anomalous resource consumption or unexpected reboots
- Review and restrict user access to ASPECT configuration interfaces
- Apply principle of least privilege for accounts with device management capabilities
Evidence notes
CISA CSAF advisory ICSA-25-007-01 published 2024-07-03; revision history documents patch availability updates on 2024-08-20 (v3.08.02) and 2024-11-28 (v3.08.03). CVSS vector confirms network-based, unauthenticated attack with high availability impact. Affected product enumeration derived from CSAF product tree with four distinct product IDs.
Official resources
-
CVE-2024-11316 CVE record
CVE.org
-
CVE-2024-11316 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-03