PatchSiren cyber security CVE debrief
CVE-2024-51546 ABB CVE debrief
ABB ASPECT systems contain a credentials disclosure vulnerability that allows unauthorized access to on-board project backup bundles. The vulnerability affects ASPECT firmware versions 3.08.02 and earlier across multiple product lines including ASPECT®-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) devices. CISA published this advisory on July 3, 2024, with subsequent updates through December 5, 2024 to reflect patch availability and acknowledgment corrections. The vulnerability carries a CVSS 3.1 score of 7.5 (HIGH severity) with a network attack vector, low attack complexity, and no required privileges or user interaction, enabling remote attackers to obtain sensitive credential information from backup bundles. ABB released version 3.08.03 to remediate this issue. Organizations should upgrade affected systems and apply defense-in-depth measures for industrial control systems.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation or industrial control systems, particularly in critical infrastructure sectors. Security teams responsible for ICS/OT asset management, network defenders monitoring for unauthorized credential access, and compliance officers tracking vulnerability remediation timelines should prioritize this issue given the network-exploitable nature and high confidentiality impact.
Technical summary
The vulnerability exists in the ASPECT firmware's handling of project backup bundles, where credentials are disclosed in a manner that allows unauthorized actors to access sensitive authentication information. The attack is remotely exploitable without authentication, making it particularly dangerous for internet-exposed or poorly segmented ICS networks. The confidentiality impact is rated HIGH while integrity and availability impacts are NONE. The vulnerability was present in firmware through version 3.08.02; version 3.08.03 contains the remediation.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade all affected ABB ASPECT systems to version 3.08.03 or later to remediate the credentials disclosure vulnerability
- Inventory and identify all deployed ASPECT®-Enterprise, NEXUS Series, and MATRIX Series devices running firmware version 3.08.02 or earlier
- Restrict network access to ASPECT device management interfaces to authorized administrative hosts only
- Review and rotate any credentials that may have been exposed in project backup bundles on affected systems
- Implement network segmentation for industrial control systems per CISA recommended practices
- Monitor for unauthorized access attempts to ASPECT backup bundle endpoints
- Apply defense-in-depth strategies including least privilege access and continuous monitoring for ICS environments
Evidence notes
The vulnerability description and affected product versions are derived from CISA CSAF advisory ICSA-25-007-01. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C) indicates network accessibility with low complexity and high confidentiality impact. Remediation guidance specifies version 3.08.03 and later as the vendor fix.
Official resources
-
CVE-2024-51546 CVE record
CVE.org
-
CVE-2024-51546 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-25-007-01 on July 3, 2024, with revisions on August 20, 2024 (ASPECT 3.08.02 availability), November 28, 2024 (ASPECT 3.08.03 availability), and December 5, 2024 (acknowledgment correction).