CVE-2024-51544 ABB CVE debrief

Who should care

Organizations operating ABB ASPECT building automation and energy management systems, particularly in critical infrastructure environments. Security teams responsible for industrial control systems (ICS/OT) and facility management systems should prioritize patching. System integrators and managed service providers supporting ABB ASPECT deployments should assess client exposure and coordinate upgrades.

Technical summary

CVE-2024-51544 affects ABB ASPECT products including ASPECT®-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) running version 3.08.02 or earlier. The Service Control vulnerabilities enable unauthorized access to service restart requests and virtual machine configuration settings. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H with a base score of 8.2 (HIGH). The attack vector is network-based with low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts availability significantly (HIGH) and integrity moderately (LOW), with no direct confidentiality impact. Vendor fixes are available in version 3.08.03 and later. The advisory was initially published on 2024-07-03 and most recently modified on 2024-12-05 for acknowledgment name correction.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade affected ABB ASPECT products to version 3.08.03 or later to remediate Service Control vulnerabilities
• Review and restrict network access to ASPECT systems per CISA ICS recommended practices
• Monitor for unauthorized service restart requests or VM configuration changes on affected systems
• Apply defense-in-depth strategies for industrial control systems as recommended by CISA

Evidence notes

CVE published 2024-07-03; advisory modified 2024-12-05 to correct acknowledgment name. Remediation available since version 3.08.03 per vendor advisory.

Official resources