Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-51547

CVE-2024-51547: ABB ASPECT Firmware Auth Bypass Flaw

CVE-2024-51547 is an authentication bypass vulnerability in ABB ASPECT-Enterprise, NEXUS, and MATRIX Series firmware caused by hard-coded credentials. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2024-51547 Overview

CVE-2024-51547 is a hard-coded credentials vulnerability [CWE-798] affecting ABB ASPECT-Enterprise, NEXUS Series, and MATRIX Series building automation controllers running firmware versions through 3.*. The flaw allows a remote, unauthenticated attacker to authenticate to affected devices using credentials embedded in the firmware. Because these devices manage HVAC, lighting, and energy systems in commercial and industrial environments, successful exploitation grants control over operational technology assets. The vulnerability carries a CVSS 4.0 base score of 9.3 and impacts confidentiality, integrity, and availability of the affected systems. ABB published a public advisory describing the issue and affected product lines.

Critical Impact

Remote unauthenticated attackers can leverage hard-coded credentials to gain full administrative control of ABB ASPECT, NEXUS, and MATRIX building management controllers.

Affected Products

  • ABB ASPECT-Enterprise (ASPECT-ENT-2, ASPECT-ENT-12, ASPECT-ENT-96, ASPECT-ENT-256) firmware through 3.*
  • ABB NEXUS Series (NEXUS-2128, NEXUS-264, NEXUS-3-2128, NEXUS-3-264 and -A/-F/-G variants) firmware through 3.*
  • ABB MATRIX Series (MATRIX-11, MATRIX-216, MATRIX-232, MATRIX-264, MATRIX-296) firmware through 3.*

Discovery Timeline

  • 2025-02-06 - CVE-2024-51547 published to NVD
  • 2025-05-23 - Last updated in NVD database

Technical Details for CVE-2024-51547

Vulnerability Analysis

The vulnerability stems from the use of hard-coded credentials embedded in the firmware of ABB ASPECT, NEXUS, and MATRIX product families. These credentials are static across deployments and cannot be modified or rotated by the end user. An attacker with network reachability to the device management interface can authenticate without prior knowledge of operator-set passwords. Once authenticated, the attacker inherits the privileges associated with the embedded account, which typically include configuration, control, and data access capabilities on the building automation controller.

Affected controllers are commonly deployed in commercial real estate, manufacturing facilities, hospitals, and data centers to manage HVAC, lighting, access, and energy systems. Compromise can disrupt physical operations, alter setpoints, disable safety logic, or pivot into adjacent OT and IT networks. The attack requires no user interaction and no prior authentication, and the attack complexity is low.

Root Cause

The root cause is the inclusion of static authentication material within shipped firmware images, classified as [CWE-798] Use of Hard-coded Credentials. Because the credentials are baked into the firmware, every device of the affected series shares the same secret, and discovery on one unit equates to discovery on all. Standard credential rotation, account lockout, and password complexity policies do not mitigate the exposure.

Attack Vector

The attack vector is network based. An attacker who can reach the controller's management service over TCP/IP can submit authentication requests using the embedded credentials. Devices exposed directly to the internet, or reachable from a flat enterprise network, are at highest risk. Refer to the ABB Public Advisory Document for vendor-specific technical detail.

Detection Methods for CVE-2024-51547

Indicators of Compromise

  • Successful authentication events on ABB ASPECT, NEXUS, or MATRIX management interfaces from unexpected source addresses or outside maintenance windows.
  • Configuration changes, firmware updates, or new user accounts created on affected controllers without a corresponding change ticket.
  • Outbound connections from building automation controllers to unknown external IP addresses.

Detection Strategies

  • Inventory all ABB ASPECT-Enterprise, NEXUS, and MATRIX devices and verify firmware versions against the ABB advisory.
  • Inspect network flows for authentication traffic to controller management ports originating from non-engineering subnets.
  • Correlate device login logs with operator activity records to identify sessions that cannot be attributed to authorized users.

Monitoring Recommendations

  • Forward controller authentication and audit logs to a centralized SIEM or data lake for retention and alerting.
  • Alert on any administrative action performed on ASPECT, NEXUS, or MATRIX devices from outside designated OT management hosts.
  • Monitor perimeter and OT/IT boundary firewalls for inbound traffic destined to building automation controllers.

How to Mitigate CVE-2024-51547

Immediate Actions Required

  • Remove direct internet exposure of ABB ASPECT, NEXUS, and MATRIX controllers and place them behind a firewall or VPN.
  • Apply the firmware update referenced in the ABB advisory once available for your product variant.
  • Restrict management access to a dedicated engineering workstation subnet using ACLs or network segmentation.
  • Review controller audit logs for signs of unauthorized authentication or configuration change.

Patch Information

ABB has published guidance in the ABB Public Advisory Document. Operators should follow the vendor's instructions for upgrading firmware on ASPECT-Enterprise, NEXUS Series, and MATRIX Series devices beyond the 3.* train. Coordinate maintenance windows with facilities and OT engineering teams before deploying firmware.

Workarounds

  • Isolate affected controllers on a dedicated VLAN with no direct routing to corporate or internet networks.
  • Require jump-host or VPN access for any administrative interaction with the controllers, and enforce multi-factor authentication at that perimeter.
  • Disable unused services and management protocols on each device to reduce the exposed attack surface.
bash
# Example firewall ACL restricting controller management access to an engineering jump host
iptables -A FORWARD -s 10.20.30.40/32 -d 10.50.0.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.50.0.0/24 -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.