CVE-2024-48844 ABB CVE debrief

Who should care

Organizations operating ABB ASPECT building automation and energy management systems, particularly in critical infrastructure environments where system availability is essential. Facilities management teams, OT security practitioners, and industrial control system administrators responsible for ASPECT®-Enterprise, NEXUS Series, or MATRIX Series deployments should prioritize firmware updates.

Technical summary

Denial of Service vulnerabilities in ABB ASPECT systems (versions ≤3.08.02) allow potential device service disruptions. Affected product families include ASPECT®-Enterprise, NEXUS Series, and MATRIX Series. The vulnerability is resolved in ASPECT version 3.08.03. Network-accessible ASPECT devices with affected firmware versions are at risk of service disruption attacks.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade affected ABB ASPECT systems to version 3.08.03 or later to remediate Denial of Service vulnerabilities
• Verify current ASPECT firmware version on ASP-ENT-x, NEX-2x, NEXUS-3-x, and MAT-x devices
• Apply network segmentation for ASPECT systems per CISA ICS recommended practices
• Monitor for anomalous network traffic patterns that may indicate DoS exploitation attempts
• Review and implement defense-in-depth strategies for industrial control system environments

Evidence notes

CISA ICS advisory ICSA-25-007-01 documents Denial of Service vulnerabilities in ABB ASPECT systems. The advisory was initially published July 3, 2024, with revisions tracking availability of fixes: version 2.0.0 on August 20, 2024 (ASPECT 3.08.02), version 3.0.0 on November 28, 2024 (ASPECT 3.08.03), and version 4.0.0 on December 5, 2024 (acknowledgment correction). Affected products confirmed: ASP-ENT-x <=3.08.02, NEX-2x <=3.08.02, NEXUS-3-x <=3.08.02, MAT-x <=3.08.02. Vendor fix available in version 3.08.03 and later per CSAF remediation data.

Official resources