Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-51546

CVE-2024-51546: ABB ASPECT Credentials Disclosure Issue

CVE-2024-51546 is a credentials disclosure vulnerability in ABB ASPECT-ENT firmware that exposes project backup bundles. This article covers the technical details, affected ASPECT, NEXUS, and MATRIX systems, and mitigation.

Published:

CVE-2024-51546 Overview

CVE-2024-51546 is a credentials disclosure vulnerability affecting ABB ASPECT, NEXUS, and MATRIX building management product lines. The flaw allows remote, unauthenticated network attackers to access on-board project back-up bundles containing sensitive credentials. The weakness is tracked under CWE-522: Insufficiently Protected Credentials and CWE-1287: Improper Validation of Specified Type of Input.

Critical Impact

Unauthenticated attackers can retrieve project back-up bundles over the network, exposing credentials that enable further compromise of building automation infrastructure.

Affected Products

  • ABB ASPECT - Enterprise v3.08.02 (ASPECT-ENT-2, ASPECT-ENT-12, ASPECT-ENT-96, ASPECT-ENT-256)
  • ABB NEXUS Series v3.08.02 (NEXUS-2128, NEXUS-264, NEXUS-3-2128, NEXUS-3-264, and -A/-F/-G variants)
  • ABB MATRIX Series v3.08.02 (MATRIX-11, MATRIX-216, MATRIX-232, MATRIX-264, MATRIX-296)

Discovery Timeline

  • 2024-12-05 - CVE-2024-51546 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-51546

Vulnerability Analysis

The vulnerability exists in the back-up bundle handling logic of ABB ASPECT, NEXUS, and MATRIX building automation controllers running firmware v3.08.02. These devices store on-board project back-up bundles that contain configuration data and embedded credentials used to operate the system. The affected endpoints fail to enforce authentication or properly validate request parameters before serving the bundles.

An attacker reachable over the network can request these archives directly. Once retrieved, the bundles disclose credentials that can be reused to pivot into supervisory control workflows, modify automation logic, or escalate access across the connected building management environment.

Root Cause

The root cause combines two weaknesses. Per [CWE-522], credentials embedded in back-up bundles are insufficiently protected at rest and in transit. Per [CWE-1287], the device fails to validate the type or authorization context of requests targeting the bundle resource, allowing unauthenticated retrieval.

Attack Vector

Exploitation is network-based, requires no privileges, and no user interaction. An attacker with reachability to the device management interface issues crafted requests against the back-up endpoint. The response contains the project bundle, from which credentials can be extracted offline. An ExploitDB entry is referenced for this product family, indicating public technical material is available.

No verified exploit code is reproduced here. Refer to the ABB security advisory for vendor-confirmed technical details.

Detection Methods for CVE-2024-51546

Indicators of Compromise

  • Unauthenticated HTTP/HTTPS requests to back-up or project bundle endpoints on ASPECT, NEXUS, or MATRIX devices.
  • Outbound transfers of .zip, .tar, or proprietary back-up archive file types from controller IP addresses to external hosts.
  • Authentication events using legitimate operator credentials originating from unexpected source addresses shortly after bundle access.

Detection Strategies

  • Monitor management interfaces of ABB ASPECT, NEXUS, and MATRIX devices for unauthenticated GET requests targeting project, backup, or bundle paths.
  • Correlate firewall and proxy logs to flag large file downloads from operational technology (OT) network segments.
  • Compare device firmware version banners against v3.08.02 to identify in-scope assets across the environment.

Monitoring Recommendations

  • Enable verbose web server and access logging on affected controllers and forward logs to a centralized SIEM.
  • Baseline expected administrative sessions and alert on access patterns that deviate from operator workstations.
  • Track credential reuse by monitoring for the same account authenticating from both engineering and untrusted network zones.

How to Mitigate CVE-2024-51546

Immediate Actions Required

  • Identify all ASPECT, NEXUS, and MATRIX devices running firmware v3.08.02 and isolate them from untrusted networks.
  • Place affected controllers behind a firewall that restricts management access to a defined engineering workstation allowlist.
  • Rotate all credentials stored on affected devices, assuming prior bundle exposure until logs confirm otherwise.

Patch Information

ABB has published guidance for this issue in the ABB cybersecurity advisory. Apply the vendor-supplied firmware update for ASPECT, NEXUS, and MATRIX products as directed in the advisory.

Workarounds

  • Disable remote access to management interfaces and require VPN connectivity for any administrative operation.
  • Segment building automation networks from corporate IT using firewalls and unidirectional gateways where feasible.
  • Restrict access to the back-up endpoint at the network layer until the firmware update is applied.
bash
# Example firewall restriction limiting management access to a jump host
iptables -A INPUT -p tcp -s <engineering_jump_host_ip> --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.