CVE-2025-30172 Overview
CVE-2025-30172 is a remote code execution vulnerability in ABB ASPECT building automation products. The flaw allows attackers who obtain session administrator credentials to execute arbitrary code on affected devices. The weakness is classified as improper control of code generation [CWE-94].
The vulnerability affects ASPECT-Enterprise, NEXUS Series, and MATRIX Series products through firmware version 3.08.03. These systems manage HVAC, lighting, and energy infrastructure in commercial and industrial buildings. Successful exploitation gives attackers full control of building automation logic and connected operational technology assets.
Critical Impact
Attackers with compromised administrator session credentials can execute arbitrary code on ABB ASPECT controllers, compromising confidentiality, integrity, and availability of building automation environments.
Affected Products
- ABB ASPECT-Enterprise through version 3.08.03
- ABB NEXUS Series through version 3.08.03
- ABB MATRIX Series through version 3.08.03
Discovery Timeline
- 2025-05-22 - CVE-2025-30172 published to the National Vulnerability Database
- 2026-04-15 - Last updated in the NVD database
Technical Details for CVE-2025-30172
Vulnerability Analysis
The vulnerability resides in the administrative interface of ABB ASPECT building management controllers. An attacker who possesses valid session administrator credentials can trigger code execution paths that load attacker-controlled input as executable logic. The flaw is categorized under [CWE-94], improper control of generation of code, indicating that the application processes input that influences code construction without sufficient validation.
Exploitation requires network access to the management interface and an authenticated administrator session. The attack complexity is high because credential compromise is a prerequisite. Once exploited, the attacker gains code execution in the context of the controller, with the ability to pivot into connected operational technology segments.
Root Cause
The root cause is unsafe handling of administrator-supplied input within code generation or evaluation routines. The product does not adequately separate trusted configuration data from executable code paths. Refer to the ABB Technical Document for vendor-specific technical details.
Attack Vector
The attack vector is network-based and requires high privileges. An adversary must first compromise session administrator credentials through phishing, credential stuffing, brute force against weak passwords, or session hijacking. After authenticating, the attacker submits crafted payloads to the affected administrative endpoint, triggering arbitrary code execution on the underlying controller.
No public proof-of-concept exploit is currently available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-30172
Indicators of Compromise
- Unexpected administrator login events on ASPECT, NEXUS, or MATRIX management interfaces from unusual source addresses
- New or modified scripts, schedules, or automation rules created outside scheduled change windows
- Outbound network connections from controllers to untrusted external hosts
- Configuration backups or firmware images downloaded by unrecognized accounts
Detection Strategies
- Monitor authentication logs for administrator sessions originating from non-engineering workstations or geographies
- Alert on repeated failed login attempts followed by a successful administrator login
- Inspect controller process and file integrity baselines for deviations introduced after authenticated sessions
- Correlate operational technology network telemetry with management plane activity to identify lateral movement
Monitoring Recommendations
- Forward ASPECT, NEXUS, and MATRIX audit logs to a centralized SIEM for retention and correlation
- Enable session timeout and idle disconnect on all administrator accounts
- Deploy network detection sensors between IT and OT segments to capture management traffic
- Review privileged account activity weekly and validate against approved change tickets
How to Mitigate CVE-2025-30172
Immediate Actions Required
- Apply the ABB-provided firmware update for ASPECT-Enterprise, NEXUS, and MATRIX products as soon as available
- Rotate all administrator credentials on affected controllers and enforce strong, unique passwords
- Restrict management interface access to a dedicated administrative VLAN or jump host
- Audit existing administrator accounts and remove inactive or unnecessary users
Patch Information
ABB has published guidance for affected ASPECT-Enterprise, NEXUS Series, and MATRIX Series products through version 3.08.03. Consult the ABB Technical Document for the fixed release version and upgrade procedures. Verify firmware version before and after the update to confirm successful remediation.
Workarounds
- Place affected controllers behind a firewall and block management interface access from untrusted networks
- Require VPN with multi-factor authentication for any remote administrative connection
- Disable unused administrator accounts and reduce the number of users with session administrator privileges
- Monitor for unauthorized configuration changes until the patch is applied across the fleet
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

