PatchSiren cyber security CVE debrief
CVE-2024-51548 ABB CVE debrief
A critical file upload vulnerability in ABB ASPECT building automation systems allows authenticated attackers to upload and execute malicious scripts. The vulnerability affects ASPECT versions 3.08.02 and earlier across multiple product lines including ASPECT-Enterprise, NEXUS Series, and MATRIX Series. ABB has released version 3.08.03 to address this issue. The vulnerability was disclosed on July 3, 2024, with subsequent advisory updates in August and November 2024 as patched versions became available.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation systems, particularly in critical infrastructure, healthcare, commercial real estate, and industrial facilities. Security teams responsible for OT/ICS environments, facility managers, and system integrators deploying ABB energy management solutions should prioritize this patch.
Technical summary
CVE-2024-51548 is a dangerous file upload vulnerability in ABB's ASPECT building automation and energy management platform. The vulnerability allows authenticated attackers with low privileges to upload malicious scripts to the system, potentially leading to remote code execution. The CVSS 3.1 score of 9.9 reflects critical severity due to the network attack vector, low complexity, and high impacts across confidentiality, integrity, and availability with changed scope. Affected products include ASPECT-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x), all at versions 3.08.02 and below. The vulnerability was patched in ASPECT version 3.08.03, released November 28, 2024.
Defensive priority
critical
Recommended defensive actions
- Upgrade affected ABB ASPECT systems to version 3.08.03 or later immediately
- If immediate patching is not possible, restrict network access to ASPECT management interfaces to authorized personnel only
- Monitor ASPECT systems for unauthorized file uploads or unexpected script execution
- Review and validate all existing uploaded content in ASPECT systems for signs of compromise
- Apply defense-in-depth strategies per CISA ICS recommended practices for industrial control systems
- Ensure proper network segmentation between ASPECT systems and untrusted networks
Evidence notes
CISA ICS advisory ICSA-25-007-01 provides authoritative documentation of this vulnerability. The advisory was initially published on July 3, 2024, and updated on August 20, 2024 (version 2.0.0) following availability of ASPECT 3.08.02, and again on November 28, 2024 (version 3.0.0) following availability of ASPECT 3.08.03. A final correction to acknowledgments was made on December 5, 2024 (version 4.0.0). The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, and changed scope with high impacts to confidentiality, integrity, and availability.
Official resources
-
CVE-2024-51548 CVE record
CVE.org
-
CVE-2024-51548 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-03