PatchSiren cyber security CVE debrief
CVE-2024-51543 ABB CVE debrief
CVE-2024-51543 is a HIGH severity information disclosure vulnerability affecting ABB ASPECT building automation systems. The vulnerability allows unauthenticated remote attackers to access sensitive application configuration information. The affected products include ASPECT®-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) running firmware version 3.08.02 and earlier. This vulnerability was disclosed on July 3, 2024, with subsequent advisory updates through December 5, 2024, reflecting patch availability. The CVSS 3.1 score of 8.2 reflects network attack vector with low complexity, no required privileges or user interaction, and high confidentiality impact. CISA issued advisory ICSA-25-007-01 for this vulnerability. ABB released version 3.08.03 to remediate this issue. Organizations should upgrade to version 3.08.03 or later and implement network segmentation for building automation systems per CISA ICS recommended practices.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation systems including facility managers, OT security teams, critical infrastructure operators, and building management system administrators responsible for HVAC, energy management, and integrated building control systems.
Technical summary
CVE-2024-51543 exposes application configuration information in ABB ASPECT building automation products through an information disclosure vulnerability. Affected versions ≤3.08.02 across ASPECT®-Enterprise, NEXUS Series, and MATRIX Series product lines permit unauthorized access to sensitive configuration data without authentication. The vulnerability is remotely exploitable with low attack complexity. Remediation requires firmware upgrade to version 3.08.03 or later.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade ABB ASPECT products to version 3.08.03 or later to remediate information disclosure vulnerability
- Verify current firmware version on ASPECT®-Enterprise, NEXUS Series, and MATRIX Series devices
- Implement network segmentation to isolate building automation systems from untrusted networks
- Apply CISA ICS recommended practices for defense-in-depth security architecture
- Review and restrict network access to ASPECT system configuration interfaces
- Monitor for unauthorized access attempts to application configuration endpoints
Evidence notes
Vulnerability disclosed via CISA CSAF advisory ICSA-25-007-01 on 2024-07-03. Advisory updated 2024-08-20 (v2.0.0) for ASPECT 3.08.02 availability, 2024-11-28 (v3.0.0) for 3.08.03 availability, and 2024-12-05 (v4.0.0) for acknowledgment correction. Vendor fix confirmed in 3.08.03 per remediation details.
Official resources
-
CVE-2024-51543 CVE record
CVE.org
-
CVE-2024-51543 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-03