CVE-2024-48845 Overview
CVE-2024-48845 is a weak password requirements vulnerability [CWE-521] affecting ABB ASPECT Enterprise, NEXUS Series, and MATRIX Series building automation controllers running firmware v3.07.02. The password reset rules permit users to store weak passwords, exposing administrative and application accounts to unauthorized access. An unauthenticated network attacker can target the affected controllers to gain administrative control over building management functions.
Critical Impact
Attackers can leverage weak passwords to obtain administrative or application-level access to ABB building automation controllers, compromising confidentiality and integrity of industrial control system operations.
Affected Products
- ABB ASPECT - Enterprise v3.07.02 (ASPECT-Ent-2, ASPECT-Ent-12, ASPECT-Ent-96, ASPECT-Ent-256)
- ABB NEXUS Series v3.07.02 (NEXUS-2128, NEXUS-264, NEXUS-3-2128, NEXUS-3-264, and -A/-F/-G variants)
- ABB MATRIX Series v3.07.02 (MATRIX-11, MATRIX-216, MATRIX-232, MATRIX-264, MATRIX-296)
Discovery Timeline
- 2024-12-05 - CVE-2024-48845 published to NVD
- 2025-02-27 - Last updated in NVD database
Technical Details for CVE-2024-48845
Vulnerability Analysis
The vulnerability stems from insufficient password complexity enforcement in the password reset workflow of ABB ASPECT, NEXUS, and MATRIX controllers. The affected firmware accepts passwords that do not meet adequate strength requirements, allowing operators to set short, predictable, or easily guessable credentials for administrative and application accounts. Because these controllers expose web-based management interfaces, attackers can attempt credential guessing or brute-force attacks against publicly reachable devices.
The weakness is classified under [CWE-521: Weak Password Requirements]. The vulnerability is exploitable over the network without authentication or user interaction, and the EPSS probability is 5.468% at the 90th percentile, indicating elevated likelihood of exploitation activity compared to most published CVEs.
Root Cause
The affected firmware does not enforce a sufficient password policy during password creation or reset. Specifically, the password validation logic fails to require minimum length, character class diversity, or rejection of common dictionary terms. Stored credentials therefore include weak entries that fall within the search space of automated password attacks.
Attack Vector
An unauthenticated attacker with network access to the controller management interface can perform credential-guessing attacks against administrator or application accounts. Building automation controllers commonly bridge IT and operational technology networks, and ASPECT/NEXUS/MATRIX devices have been observed exposed to the public internet. Successful exploitation yields administrative or application-level access to building management functions, including HVAC, lighting, and access control subsystems.
No verified public proof-of-concept code is available for this issue. Refer to the ABB Security Advisory for vendor technical details.
Detection Methods for CVE-2024-48845
Indicators of Compromise
- Repeated failed authentication attempts against ASPECT, NEXUS, or MATRIX web management endpoints from a single or distributed source
- Successful administrator logins from unexpected geographic locations or outside maintenance windows
- Unexpected changes to user accounts, password policies, or scheduled automation tasks on affected controllers
- New or modified application-level credentials not aligned with change management records
Detection Strategies
- Audit current password databases on affected controllers for entries that fall below acceptable complexity thresholds
- Correlate authentication logs from ABB controllers with network access logs to identify brute-force or credential-stuffing patterns
- Monitor for HTTP POST traffic to login and password-reset endpoints with high request rates from a single source
- Cross-reference administrator session activity against approved engineering workstation inventories
Monitoring Recommendations
- Forward ABB controller authentication and audit logs to a centralized SIEM for retention and analysis
- Configure alerts on consecutive failed logins followed by a successful login from the same source IP
- Track configuration export and account-modification events on building automation controllers
- Periodically scan management network segments for unauthorized exposure of ABB controller interfaces
How to Mitigate CVE-2024-48845
Immediate Actions Required
- Apply firmware updates referenced in the ABB security advisory to all ASPECT, NEXUS, and MATRIX controllers running v3.07.02
- Force a password reset for every administrator and application account after upgrading, enforcing strong complexity rules
- Remove direct internet exposure of controller web management interfaces and restrict access to engineering VLANs
- Inventory all ABB building automation devices to confirm patch coverage across ASPECT, NEXUS, and MATRIX product lines
Patch Information
ABB has published remediation guidance in the vendor advisory. Refer to the ABB Security Advisory 9AKK108469A7497 for the corrected firmware versions and upgrade procedures applicable to each affected model.
Workarounds
- Place controllers behind a firewall or VPN and limit management access to a restricted set of jump hosts
- Implement network-level rate limiting and account lockout policies in front of the controller management interfaces
- Require multi-factor authentication on upstream remote-access gateways used to reach OT networks
- Conduct a manual audit of stored credentials and replace any weak passwords with values meeting organizational policy
# Example: Restrict access to ABB controller management interface using iptables
# Allow only the engineering subnet, drop all other inbound HTTPS traffic
iptables -A INPUT -p tcp -s 10.20.30.0/24 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
