CVE-2024-51542 ABB CVE debrief

Who should care

Organizations operating ABB ASPECT building automation systems including facility managers, OT security teams, critical infrastructure operators, and building systems integrators responsible for HVAC, energy management, and smart building deployments.

Technical summary

CVE-2024-51542 enables unauthorized access to dependency configuration information in ABB ASPECT building automation systems through configuration download functionality. The vulnerability affects firmware versions 3.08.02 and earlier across ASPECT-Enterprise, NEXUS Series, and MATRIX Series product lines. CVSS 3.1 score 8.2 (HIGH) reflects network attack vector with low complexity, no privileges required, high confidentiality impact, and low integrity impact. ABB released version 3.08.03 as the vendor fix. CISA advisory ICSA-25-007-01 was initially published July 3, 2024, with subsequent revisions tracking patch availability through December 5, 2024.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade affected ABB ASPECT systems to version 3.08.03 or later to remediate configuration download vulnerabilities.
• Verify firmware version on ASPECT-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) controllers.
• Apply network segmentation for building automation systems per CISA ICS recommended practices.
• Monitor for unauthorized configuration access attempts in ASPECT system logs.
• Review ABB technical documentation for secure configuration guidance.

Evidence notes

CVE published 2024-07-03; CISA advisory ICSA-25-007-01 initially released same date. Advisory revised 2024-08-20 (v2.0.0) upon ASPECT 3.08.02 availability, 2024-11-28 (v3.0.0) upon 3.08.03 availability, and 2024-12-05 (v4.0.0) for acknowledgment correction. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C.

Official resources