PatchSiren cyber security CVE debrief
CVE-2024-51551 ABB CVE debrief
ABB ASPECT systems ship with publicly known default credentials that allow unauthenticated remote attackers to gain full administrative access to affected devices. The vulnerability affects ASPECT-Enterprise, NEXUS Series, and MATRIX Series products running version 3.07.02 and earlier on Linux. CISA published this advisory on July 3, 2024, with subsequent updates in August, November, and December 2024 as patched versions became available. The CVSS 3.1 score of 10.0 reflects network exploitability without authentication, with high impacts to confidentiality, integrity, and availability across affected systems.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation or industrial control systems, particularly in critical infrastructure sectors. Security teams responsible for OT/ICS asset management, network defenders monitoring for unauthorized access to building management systems, and compliance officers tracking CISA ICS advisories.
Technical summary
ABB ASPECT systems on Linux platforms contain default credential vulnerabilities that allow remote attackers to authenticate using publicly available default credentials. The vulnerability is present in ASPECT-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) products through version 3.07.02. Successful exploitation grants unauthorized access to the Aspect device with administrative privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicates network-based attack with low complexity, no privileges required, no user interaction, and high impacts across confidentiality, integrity, and availability with scope change. Vendor fixes are available in version 3.08.00 and later, with subsequent releases 3.08.02 and 3.08.03 providing additional updates.
Defensive priority
critical
Recommended defensive actions
- Immediately inventory all ABB ASPECT, NEXUS, and MATRIX series devices in your environment and identify firmware versions
- Upgrade all affected devices to ASPECT version 3.08.00 or later; CISA notes versions 3.08.02 and 3.08.03 were subsequently released with additional fixes
- If immediate patching is not possible, restrict network access to ASPECT devices at the network perimeter and segment from untrusted networks
- Change default credentials on all ASPECT devices where technically feasible prior to upgrade
- Monitor for unauthorized access attempts to ASPECT management interfaces
- Apply CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
Evidence notes
Source: CISA CSAF advisory ICSA-25-007-01. Affected products confirmed via CSAF product tree: ASP-ENT-x, NEX-2x, NEXUS-3-x, and MAT-x all at versions <=3.07.02. Vendor fix confirmed in versions 3.08.00 and later per remediation data. Advisory revision history shows initial publication 2024-07-03, with updates tracking availability of versions 3.08.02 (2024-08-20) and 3.08.03 (2024-11-28).
Official resources
-
CVE-2024-51551 CVE record
CVE.org
-
CVE-2024-51551 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-03