PatchSiren cyber security CVE debrief
CVE-2024-6516 ABB CVE debrief
Cross-site scripting (XSS) vulnerabilities in ABB ASPECT building automation systems allow malicious script injection into client browsers. Affected versions include ASPECT-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) running firmware 3.08.02 and earlier. The vulnerability was disclosed on July 3, 2024, with vendor fixes becoming available in subsequent months—version 3.08.02 released August 20, 2024, and the definitive fix in version 3.08.03 released November 28, 2024. The advisory was last updated December 5, 2024, for acknowledgment corrections. Organizations should upgrade to version 3.08.03 or later to remediate these vulnerabilities.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation and energy management systems, including facilities management teams, critical infrastructure operators, and industrial control system administrators responsible for HVAC, lighting, and building system security.
Technical summary
ABB ASPECT building automation systems contain cross-site scripting (XSS) vulnerabilities in versions 3.08.02 and earlier. The vulnerabilities allow malicious scripts to be injected into client browsers, potentially enabling session hijacking, credential theft, or unauthorized system manipulation. The attack vector is network-based with low complexity, requiring high privileges but no user interaction, with scope change to impacted components. Affected product lines include ASPECT-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x). Vendor fixes are available: version 3.08.02 provided partial remediation (August 2024), with complete resolution in version 3.08.03 (November 2024).
Defensive priority
critical
Recommended defensive actions
- Upgrade ABB ASPECT systems to version 3.08.03 or later to remediate cross-site scripting vulnerabilities
- Verify current firmware version on ASPECT-Enterprise, NEXUS Series, and MATRIX Series devices
- Apply vendor security updates as documented in ABB technical publications
- Implement network segmentation for building automation systems per CISA ICS recommended practices
- Review and update web application security controls for ASPECT management interfaces
Evidence notes
CISA ICS advisory ICSA-25-007-01 documents XSS vulnerabilities in ABB ASPECT systems with CVSS 3.1 score of 9.0 (Critical). The advisory revision history confirms initial disclosure July 3, 2024; update for version 3.08.02 availability on August 20, 2024; update for version 3.08.03 availability on November 28, 2024; and final correction December 5, 2024. Vendor fix confirmed in remediation section stating vulnerabilities resolved in 3.08.03 and later.
Official resources
-
CVE-2024-6516 CVE record
CVE.org
-
CVE-2024-6516 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-03