PatchSiren cyber security CVE debrief
CVE-2024-6298 ABB CVE debrief
A critical Improper Input Validation vulnerability in ABB ASPECT systems enables Remote Code Inclusion (RCI) with a CVSS 3.1 score of 10.0. The flaw affects ASPECT-Enterprise, NEXUS Series, and MATRIX Series products running version 3.08.01 and earlier. CISA published advisory ICSA-25-007-01 on July 3, 2024, with subsequent updates in August, November, and December 2024 as patched versions became available. ABB released fixes in versions 3.08.02 and later. The vulnerability requires no authentication, has low attack complexity, and can result in complete system compromise across affected network segments.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation, energy management, or industrial control systems, particularly in critical infrastructure sectors. Security teams responsible for OT/ICS environments, facility management operators, and infrastructure owners using NEXUS or MATRIX series hardware should prioritize patching. Given the critical CVSS score and unauthenticated remote exploitability, this vulnerability poses severe risk to operational technology environments where ASPECT systems manage physical building controls.
Technical summary
CVE-2024-6298 is a critical Improper Input Validation vulnerability in ABB's ASPECT building automation and energy management platform. The flaw allows Remote Code Inclusion (RCI) without authentication, enabling attackers to execute arbitrary code on affected systems. The vulnerability impacts ASPECT-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) products at version 3.08.01 and earlier. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C) indicates network exploitable, low complexity, no privileges required, scope change affecting other resources, and high impact on confidentiality, integrity, and availability. ABB remediated this in version 3.08.02, with additional updates through 3.08.03. CISA's advisory revision history tracks patch availability and advisory corrections through December 2024.
Defensive priority
critical
Recommended defensive actions
- Upgrade affected ABB ASPECT products to version 3.08.02 or later immediately
- Apply vendor patches for ASP-ENT-x, NEX-2x, NEXUS-3-x, and MAT-x systems running <=3.08.01
- Implement network segmentation to isolate ASPECT systems from untrusted networks
- Monitor for anomalous code execution or file inclusion attempts on ASPECT platforms
- Review and restrict input validation controls on all ASPECT system interfaces
- Follow CISA ICS recommended practices for defense-in-depth strategies
- Validate patch deployment across all affected product families: ASPECT-Enterprise, NEXUS Series, and MATRIX Series
Evidence notes
CVE published 2024-07-03; CISA advisory ICSA-25-007-01 issued same date. Advisory updated 2024-08-20 (v3.08.02 available), 2024-11-28 (v3.08.03 available), and 2024-12-05 (acknowledgment correction). CVSS vector confirms network attack vector, no privileges required, and scope change indicating impact beyond vulnerable component.
Official resources
-
CVE-2024-6298 CVE record
CVE.org
-
CVE-2024-6298 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-03T00:30:00.000Z