PatchSiren cyber security CVE debrief
CVE-2024-51554 ABB CVE debrief
CVE-2024-51554 is a critical off-by-one error vulnerability in ABB's ASPECT building automation system that enables array out-of-bounds access in a log script. Published July 3, 2024, and last modified December 5, 2024, this vulnerability carries a CVSS 3.1 score of 9.1 (Critical). The flaw affects multiple ABB product lines including ASPECT®-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x), all at versions 3.08.02 and earlier. The vulnerability's network attack vector, low complexity, and scope change capability (S:C) indicate significant risk, particularly given the affected products' deployment in building automation and industrial control environments. CISA issued advisory ICSA-25-007-01 with multiple revisions tracking vendor patch availability, with version 3.08.03 released as the definitive fix. The December 2024 modification corrected an acknowledgment name, indicating ongoing advisory maintenance. Organizations should prioritize patching to 3.08.03 or later, as the vulnerability's critical score reflects substantial potential for confidentiality impact (C:H) with moderate integrity and availability consequences.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation systems, particularly in critical infrastructure, healthcare, commercial real estate, and industrial facilities. Security teams responsible for OT/ICS asset management and patch coordination.
Technical summary
Off-by-one error in ASPECT log script enables array out-of-bounds access. Network-exploitable with low complexity; scope change to impacted components. Critical confidentiality impact with limited integrity/availability effects.
Defensive priority
critical
Recommended defensive actions
- Upgrade ABB ASPECT products to version 3.08.03 or later to remediate the off-by-one vulnerability
- Verify current ASPECT version across all deployed instances including ASPECT®-Enterprise, NEXUS Series, and MATRIX Series product lines
- Apply network segmentation for unpatched ASPECT systems per CISA ICS recommended practices
- Monitor vendor security bulletins for additional guidance on ABB building automation security
- Review log script configurations and access controls as interim defensive measure pending patch deployment
Evidence notes
CVE published 2024-07-03; CISA advisory ICSA-25-007-01 issued with revision history tracking patch availability through 3.08.03 (2024-11-28) and acknowledgment correction (2024-12-05). CVSS 9.1 reflects AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L vector. Affected products confirmed via CSAF product tree: ASP-ENT-x, NEX-2x, NEXUS-3-x, MAT-x all <=3.08.02.
Official resources
-
CVE-2024-51554 CVE record
CVE.org
-
CVE-2024-51554 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-03