PatchSiren cyber security CVE debrief
CVE-2024-6515 ABB CVE debrief
A critical vulnerability in ABB ASPECT building automation systems allows credential exposure through the web browser interface. The application handles usernames and passwords in clear text or Base64 encoding, significantly increasing the risk of unintended credential disclosure. This affects ASPECT-Enterprise, NEXUS Series, and MATRIX Series products running version 3.08.02 and earlier. The vulnerability was disclosed on July 3, 2024, with patches becoming available in subsequent months—version 3.08.02 released by August 20, 2024, and the definitive fix in version 3.08.03 by November 28, 2024. The CVSS 3.1 score of 9.6 reflects severe impact: network attack vector, low complexity, no user interaction required, and high confidentiality and integrity impact with scope change. Organizations should prioritize upgrading to version 3.08.03 or later and implement network segmentation for affected systems.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation systems, particularly in critical infrastructure, healthcare, education, and commercial real estate sectors. Security teams responsible for OT/ICS environments, facility managers with cybersecurity oversight, and compliance officers addressing NERC CIP or similar control system security requirements.
Technical summary
The ABB ASPECT web browser interface improperly handles authentication credentials by transmitting or storing usernames and passwords in clear text or Base64 encoding. This encoding provides no cryptographic protection and is trivially reversible, creating conditions for credential theft through network interception, browser developer tools inspection, or log file analysis. The vulnerability affects the ASPECT-Enterprise platform and related NEXUS and MATRIX series products, which are deployed in building automation and energy management contexts. The attack vector is network-accessible with low complexity, requiring no user interaction, and successful exploitation yields high impact to confidentiality and integrity with scope change potential.
Defensive priority
critical
Recommended defensive actions
- Upgrade ABB ASPECT products to version 3.08.03 or later to remediate credential exposure vulnerability
- Apply network segmentation to isolate affected building automation systems from untrusted networks
- Review and rotate any credentials that may have been exposed through the vulnerable web interface
- Monitor for unauthorized access attempts to ASPECT systems pending patch deployment
- Implement defense-in-depth controls per CISA ICS recommended practices for industrial control systems
Evidence notes
CISA ICS advisory ICSA-25-007-01 documents this vulnerability with revision history showing initial disclosure on 2024-07-03, update for version 3.08.02 availability on 2024-08-20, and final patch 3.08.03 availability on 2024-11-28. Affected products confirmed: ASP-ENT-x, NEX-2x, NEXUS-3-x, and MAT-x all at versions <=3.08.02.
Official resources
-
CVE-2024-6515 CVE record
CVE.org
-
CVE-2024-6515 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-03