CVE-2024-51547 Overview
CVE-2024-51547 is a hard-coded credentials vulnerability [CWE-798] affecting ABB ASPECT-Enterprise, NEXUS Series, and MATRIX Series building automation controllers running firmware versions through 3.*. The flaw allows a remote, unauthenticated attacker to authenticate to affected devices using credentials embedded in the firmware. Because these devices manage HVAC, lighting, and energy systems in commercial and industrial environments, successful exploitation grants control over operational technology assets. The vulnerability carries a CVSS 4.0 base score of 9.3 and impacts confidentiality, integrity, and availability of the affected systems. ABB published a public advisory describing the issue and affected product lines.
Critical Impact
Remote unauthenticated attackers can leverage hard-coded credentials to gain full administrative control of ABB ASPECT, NEXUS, and MATRIX building management controllers.
Affected Products
- ABB ASPECT-Enterprise (ASPECT-ENT-2, ASPECT-ENT-12, ASPECT-ENT-96, ASPECT-ENT-256) firmware through 3.*
- ABB NEXUS Series (NEXUS-2128, NEXUS-264, NEXUS-3-2128, NEXUS-3-264 and -A/-F/-G variants) firmware through 3.*
- ABB MATRIX Series (MATRIX-11, MATRIX-216, MATRIX-232, MATRIX-264, MATRIX-296) firmware through 3.*
Discovery Timeline
- 2025-02-06 - CVE-2024-51547 published to NVD
- 2025-05-23 - Last updated in NVD database
Technical Details for CVE-2024-51547
Vulnerability Analysis
The vulnerability stems from the use of hard-coded credentials embedded in the firmware of ABB ASPECT, NEXUS, and MATRIX product families. These credentials are static across deployments and cannot be modified or rotated by the end user. An attacker with network reachability to the device management interface can authenticate without prior knowledge of operator-set passwords. Once authenticated, the attacker inherits the privileges associated with the embedded account, which typically include configuration, control, and data access capabilities on the building automation controller.
Affected controllers are commonly deployed in commercial real estate, manufacturing facilities, hospitals, and data centers to manage HVAC, lighting, access, and energy systems. Compromise can disrupt physical operations, alter setpoints, disable safety logic, or pivot into adjacent OT and IT networks. The attack requires no user interaction and no prior authentication, and the attack complexity is low.
Root Cause
The root cause is the inclusion of static authentication material within shipped firmware images, classified as [CWE-798] Use of Hard-coded Credentials. Because the credentials are baked into the firmware, every device of the affected series shares the same secret, and discovery on one unit equates to discovery on all. Standard credential rotation, account lockout, and password complexity policies do not mitigate the exposure.
Attack Vector
The attack vector is network based. An attacker who can reach the controller's management service over TCP/IP can submit authentication requests using the embedded credentials. Devices exposed directly to the internet, or reachable from a flat enterprise network, are at highest risk. Refer to the ABB Public Advisory Document for vendor-specific technical detail.
Detection Methods for CVE-2024-51547
Indicators of Compromise
- Successful authentication events on ABB ASPECT, NEXUS, or MATRIX management interfaces from unexpected source addresses or outside maintenance windows.
- Configuration changes, firmware updates, or new user accounts created on affected controllers without a corresponding change ticket.
- Outbound connections from building automation controllers to unknown external IP addresses.
Detection Strategies
- Inventory all ABB ASPECT-Enterprise, NEXUS, and MATRIX devices and verify firmware versions against the ABB advisory.
- Inspect network flows for authentication traffic to controller management ports originating from non-engineering subnets.
- Correlate device login logs with operator activity records to identify sessions that cannot be attributed to authorized users.
Monitoring Recommendations
- Forward controller authentication and audit logs to a centralized SIEM or data lake for retention and alerting.
- Alert on any administrative action performed on ASPECT, NEXUS, or MATRIX devices from outside designated OT management hosts.
- Monitor perimeter and OT/IT boundary firewalls for inbound traffic destined to building automation controllers.
How to Mitigate CVE-2024-51547
Immediate Actions Required
- Remove direct internet exposure of ABB ASPECT, NEXUS, and MATRIX controllers and place them behind a firewall or VPN.
- Apply the firmware update referenced in the ABB advisory once available for your product variant.
- Restrict management access to a dedicated engineering workstation subnet using ACLs or network segmentation.
- Review controller audit logs for signs of unauthorized authentication or configuration change.
Patch Information
ABB has published guidance in the ABB Public Advisory Document. Operators should follow the vendor's instructions for upgrading firmware on ASPECT-Enterprise, NEXUS Series, and MATRIX Series devices beyond the 3.* train. Coordinate maintenance windows with facilities and OT engineering teams before deploying firmware.
Workarounds
- Isolate affected controllers on a dedicated VLAN with no direct routing to corporate or internet networks.
- Require jump-host or VPN access for any administrative interaction with the controllers, and enforce multi-factor authentication at that perimeter.
- Disable unused services and management protocols on each device to reduce the exposed attack surface.
# Example firewall ACL restricting controller management access to an engineering jump host
iptables -A FORWARD -s 10.20.30.40/32 -d 10.50.0.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.50.0.0/24 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

