CVE-2024-6209: ABB ASPECT Firmware Information Disclosure

CVE-2024-6209 Overview

CVE-2024-6209 is an unauthorized file access vulnerability in the embedded WEB server of ABB ASPECT building automation controllers. The flaw affects ABB ASPECT-Enterprise, NEXUS Series, and MATRIX Series devices running firmware version v3.08.01. An attacker with adjacent network access can retrieve files from the controller without authentication, exposing configuration data, credentials, and operational logic. The weakness is classified under CWE-552: Files or Directories Accessible to External Parties. ABB ASPECT devices are deployed in building management systems for HVAC, lighting, and energy control, making unauthorized file disclosure a direct risk to operational technology environments.

Critical Impact

Unauthenticated attackers on an adjacent network can read sensitive files from ABB ASPECT, NEXUS, and MATRIX controllers, exposing credentials and configuration data that enable follow-on attacks on building automation infrastructure.

Affected Products

• ABB ASPECT-Enterprise (ASPECT-ENT-2, ASPECT-ENT-12, ASPECT-ENT-96, ASPECT-ENT-256) firmware v3.08.01
• ABB NEXUS Series (NEXUS-264, NEXUS-264-A/F/G, NEXUS-2128, NEXUS-2128-A/F/G, NEXUS-3-264, NEXUS-3-2128) firmware v3.08.01
• ABB MATRIX Series (MATRIX-11, MATRIX-216, MATRIX-232, MATRIX-264, MATRIX-296) firmware v3.08.01

Discovery Timeline

• 2024-07-05 - CVE-2024-6209 published to NVD
• 2024-12-05 - Last updated in NVD database

Technical Details for CVE-2024-6209

Vulnerability Analysis

The vulnerability resides in the WEB server component running on ABB ASPECT controllers. The server exposes file resources without enforcing authentication or authorization checks on requests. An attacker reachable on the same network segment as the controller can issue HTTP requests that return file contents intended to be protected. This category of weakness maps to [CWE-552], which covers files or directories made accessible to unintended parties through a server interface. Disclosed files in building automation controllers typically include device configuration, control logic, integration credentials for BACnet or Modbus peers, and stored user credentials. The EPSS score of 42.845% places this CVE in the 97th percentile of vulnerabilities most likely to be exploited.

Root Cause

The WEB server in firmware v3.08.01 of the affected ASPECT, NEXUS, and MATRIX product lines fails to enforce access controls on file-serving endpoints. Requests to retrieve files are processed without validating session state, authentication tokens, or user privileges. The server treats protected resources as if they were public static content.

Attack Vector

Exploitation requires adjacent network access — the attacker must reside on the same logical network as the controller, such as a building management VLAN, operational technology segment, or shared LAN. No user interaction and no credentials are required. The attacker sends crafted HTTP requests to the controller's web interface and receives file contents in the response. Because ASPECT controllers are sometimes exposed to broader networks or the internet through misconfiguration, the practical attack surface can extend beyond the immediate adjacent segment. Exploit code referenced by Exploit-DB indicates working techniques exist for this class of ABB ASPECT flaws.

No verified proof-of-concept code is published in the vendor advisory. See the ABB security advisory for technical details.

Detection Methods for CVE-2024-6209

Indicators of Compromise

• Unexpected HTTP GET requests from non-administrative hosts targeting file paths on ASPECT, NEXUS, or MATRIX controller web interfaces
• Unauthenticated HTTP 200 OK responses returning configuration files, credential stores, or system logs
• Outbound connections from building management VLANs to unfamiliar destinations following web server activity
• Controller log entries showing file access events without an associated authenticated session

Detection Strategies

• Inspect network traffic between operator workstations and ASPECT/NEXUS/MATRIX controllers for HTTP requests that return file content without prior authentication exchanges
• Deploy network intrusion detection signatures targeting unauthenticated file-retrieval URI patterns on ABB controller web ports
• Correlate web server access logs on the controller against the authoritative list of authorized engineering workstations
• Baseline normal HTTP request volumes per controller and alert on sustained scanning or enumeration activity

Monitoring Recommendations

• Forward ABB controller syslog, web access, and authentication events to a centralized SIEM for retention and correlation
• Monitor east-west traffic on building automation VLANs for anomalous HTTP activity directed at controllers
• Track firmware version inventory continuously to flag any device still running v3.08.01
• Alert on any external (WAN-side) connectivity attempts to ASPECT, NEXUS, or MATRIX management interfaces

How to Mitigate CVE-2024-6209

Immediate Actions Required

• Identify all ABB ASPECT-Enterprise, NEXUS Series, and MATRIX Series devices and confirm firmware version against v3.08.01
• Apply the firmware update published by ABB in advisory 9AKK108469A7497
• Remove any direct internet exposure of ASPECT, NEXUS, or MATRIX web interfaces
• Rotate credentials and integration secrets that may have been stored on the affected controllers

Patch Information

ABB has issued a security advisory and corrective firmware for the affected ASPECT, NEXUS, and MATRIX product lines. Refer to the ABB cybersecurity notification 9AKK108469A7497 for the fixed firmware versions and upgrade procedure. Schedule the update through standard change-management windows for operational technology environments and validate device functionality after upgrade.

Workarounds

• Place ASPECT, NEXUS, and MATRIX controllers behind a firewall that restricts access to a small allowlist of engineering hosts
• Segment building automation networks from corporate IT and guest networks using VLANs and strict ACLs
• Require VPN with multi-factor authentication for any remote administration of controllers
• Disable the controller web interface on devices that do not require it for daily operation

# Example firewall rule restricting controller web access to engineering subnet
iptables -A FORWARD -s 10.20.30.0/24 -d 10.50.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 10.20.30.0/24 -d 10.50.0.0/16 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.50.0.0/16 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 10.50.0.0/16 -p tcp --dport 443 -j DROP