PatchSiren cyber security CVE debrief
CVE-2024-6784 ABB CVE debrief
Server-Side Request Forgery (SSRF) vulnerabilities in ABB ASPECT systems enable authenticated attackers to access unauthorized internal resources and disclose sensitive information. The vulnerability affects multiple product lines including ASPECT-Enterprise, NEXUS Series, and MATRIX Series running firmware version 3.08.02 and earlier. CISA published initial advisory ICSA-25-007-01 on July 3, 2024, with subsequent updates tracking patch availability through December 5, 2024. The vendor released version 3.08.03 to remediate these vulnerabilities. No known exploitation in ransomware campaigns has been reported.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation, energy management, or industrial control systems; critical infrastructure operators in energy, manufacturing, and smart building sectors; OT security teams responsible for HVAC, lighting, and facility management systems; compliance officers managing IEC 62443 or NERC CIP obligations for building automation networks.
Technical summary
Multiple Server-Side Request Forgery vulnerabilities exist in ABB ASPECT building automation and energy management systems. Affected products include ASPECT-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) devices running firmware version 3.08.02 and earlier. The vulnerabilities allow authenticated attackers with low privileges to make unauthorized requests to internal resources, potentially leading to information disclosure and unauthorized access to network-resident services. The CVSS 3.1 score of 9.9 reflects network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and high impacts to confidentiality, integrity, and availability. CISA's advisory revision history indicates coordinated disclosure with vendor patch releases: initial publication July 3, 2024, updated August 20, 2024 for version 3.08.02 availability, updated November 28, 2024 for version 3.08.03 availability, and final correction December 5, 2024.
Defensive priority
critical
Recommended defensive actions
- Upgrade affected ABB ASPECT systems to version 3.08.03 or later to remediate SSRF vulnerabilities
- Verify firmware version on ASPECT-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) devices
- Restrict network access to ASPECT management interfaces to authorized administrative hosts only
- Monitor for anomalous outbound requests from ASPECT systems that may indicate SSRF exploitation attempts
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
- Consult ABB technical documentation HT0038 and security advisory 9AKK108469A7497 for detailed remediation guidance
Evidence notes
CVE published 2024-07-03 per CISA CSAF advisory ICSA-25-007-01. Advisory revised August 20, 2024 (v2.0.0) upon ASPECT 3.08.02 availability, November 28, 2024 (v3.0.0) upon 3.08.03 availability, and December 5, 2024 (v4.0.0) for acknowledgment correction. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C.
Official resources
-
CVE-2024-6784 CVE record
CVE.org
-
CVE-2024-6784 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-03