CVE-2024-48845 Overview
CVE-2024-48845 is a critical weak password reset rules vulnerability affecting ABB's building automation and energy management systems, including the ASPECT Enterprise, NEXUS Series, and MATRIX Series product lines. The vulnerability enables the storage of weak passwords due to insufficient password complexity enforcement during password reset operations, potentially facilitating unauthorized administrative access to affected devices.
These ABB products are widely deployed in commercial building automation, energy management, and industrial control environments. The weakness in password policy enforcement creates a significant attack surface for threat actors seeking to compromise building management systems, HVAC controls, and energy monitoring infrastructure.
Critical Impact
Attackers can exploit weak password requirements to gain unauthorized administrative access to building automation systems, potentially compromising physical security, HVAC systems, and critical infrastructure operations.
Affected Products
- ABB ASPECT Enterprise (v3.07.02) - All variants including ASPECT-ENT-2, ASPECT-ENT-12, ASPECT-ENT-96, ASPECT-ENT-256
- ABB NEXUS Series (v3.07.02) - All variants including NEXUS-264, NEXUS-2128, NEXUS-3-264, NEXUS-3-2128
- ABB MATRIX Series (v3.07.02) - All variants including MATRIX-11, MATRIX-216, MATRIX-232, MATRIX-264, MATRIX-296
Discovery Timeline
- December 5, 2024 - CVE-2024-48845 published to NVD
- February 27, 2025 - Last updated in NVD database
Technical Details for CVE-2024-48845
Vulnerability Analysis
This vulnerability is classified under CWE-521 (Weak Password Requirements), indicating that the affected ABB devices fail to enforce adequate password complexity rules during the password reset process. The flaw allows users or administrators to set passwords that do not meet industry-standard complexity requirements, such as minimum length, character diversity (uppercase, lowercase, numbers, special characters), or prohibition of common/dictionary passwords.
The network-accessible nature of these building automation devices means that weak passwords can be targeted through remote authentication attempts. Given that these systems often control critical building infrastructure including HVAC, lighting, access control, and energy management, successful exploitation could have significant operational and safety implications.
Root Cause
The root cause of CVE-2024-48845 lies in inadequate password policy validation within the firmware's password reset functionality. The affected ABB devices running firmware version 3.07.02 and earlier do not properly enforce password complexity requirements, allowing:
- Short passwords below recommended minimum lengths
- Passwords lacking character diversity requirements
- Common or easily guessable password patterns
- Passwords that may match dictionary words or known weak password lists
This implementation gap in the authentication subsystem creates opportunities for credential-based attacks against the device management interfaces.
Attack Vector
The vulnerability is exploitable over the network without requiring prior authentication or user interaction. An attacker can leverage this weakness through several attack scenarios:
Credential Brute-Force Attacks: Weak passwords significantly reduce the keyspace an attacker must search, making brute-force attacks against the web interface or API endpoints more feasible.
Password Spraying: Common weak passwords can be attempted across multiple ABB devices in an enterprise deployment, potentially compromising multiple building automation systems simultaneously.
Social Engineering Exploitation: If default or simple passwords are commonly set by administrators due to weak policy enforcement, attackers may successfully guess credentials based on organizational patterns or device defaults.
Post-Compromise Persistence: After initial access, attackers can reset passwords to weak values to maintain persistent access while evading detection.
The vulnerability affects the administrative and application access layers, meaning successful exploitation grants full control over the building automation system's configuration, monitoring capabilities, and connected subsystems.
Detection Methods for CVE-2024-48845
Indicators of Compromise
- Multiple failed authentication attempts followed by successful login from unexpected IP addresses
- Password reset operations performed outside normal administrative hours or from unusual network locations
- Administrative configuration changes without corresponding change management records
- Unauthorized firmware modifications or configuration exports from affected devices
Detection Strategies
- Implement network-based monitoring for authentication traffic to ABB ASPECT, NEXUS, and MATRIX devices
- Configure SIEM rules to alert on password reset operations and correlate with normal administrative activity patterns
- Deploy network segmentation monitoring to detect lateral movement attempts toward building automation networks
- Utilize SentinelOne's network discovery capabilities to identify vulnerable ABB devices running firmware version 3.07.02 or earlier
Monitoring Recommendations
- Enable detailed audit logging on all affected ABB devices and forward logs to centralized SIEM infrastructure
- Monitor for anomalous access patterns including off-hours logins, geographic anomalies, and unusual session durations
- Implement continuous vulnerability scanning of OT/IoT network segments to identify unpatched devices
- Establish baseline authentication behavior profiles for building automation administrators to detect deviations
How to Mitigate CVE-2024-48845
Immediate Actions Required
- Review and strengthen all administrative passwords on affected ABB devices to meet enterprise password policy standards (minimum 12+ characters with complexity requirements)
- Implement network segmentation to isolate building automation systems from general enterprise networks
- Enable multi-factor authentication where supported by the device or through network access controls
- Audit all user accounts on affected systems and disable unnecessary or default accounts
Patch Information
ABB has released security guidance addressing this vulnerability. Organizations should consult the ABB Security Advisory for official remediation guidance and firmware update information. Contact ABB support to obtain patched firmware versions that address the weak password requirements issue.
Workarounds
- Implement compensating controls through network-level access restrictions limiting management interface access to specific administrative IP addresses or VPN connections
- Deploy a Web Application Firewall (WAF) or network firewall rules to rate-limit authentication attempts and block suspected brute-force attacks
- Configure external authentication mechanisms such as RADIUS or LDAP with proper password policies where supported by the device
- Establish documented password standards for building automation systems and conduct periodic audits to verify compliance
# Example network access restriction (firewall rule concept)
# Restrict management access to authorized administrative networks only
# Replace <ABB_DEVICE_IP> and <ADMIN_NETWORK> with actual values
iptables -A INPUT -d <ABB_DEVICE_IP> -p tcp --dport 443 -s <ADMIN_NETWORK> -j ACCEPT
iptables -A INPUT -d <ABB_DEVICE_IP> -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
