A researcher claims to have found over 1,000 vulnerabilities in products made by electrification and automation solutions provider ABB, including flaws that can expose facilities to remote hacking. The vendor has released patches.

The vulnerabilities were discovered by Gjoko Krstic, who is known for security research aimed at building management and access control systems, in ABB Cylon FLXeon and ABB Cylon Aspect building energy management and control solutions. 

Krstic told SecurityWeek that he uncovered just over 1,000 vulnerabilities in the Aspect product (including many with ‘critical’ and ‘high’ severity ratings), and 35 security holes in the FLXeon product.

A wide range of flaws have been found, including unauthorized file access and manipulation, XSS, CSRF, SSRF, IDOR, security bypass, DoS, SQL injection, and password-related issues that can be exploited for remote code execution, to obtain sensitive information, or to cause disruption. 

The researcher said some of the vulnerabilities can be exploited by a remote, unauthenticated attacker to take complete control of the targeted system.

ABB advises customers not to expose these systems to the internet. However, the impacted products are used around the world and the researcher believes that roughly 1,000 facilities expose these systems to the web and may be vulnerable to attacks. The vulnerabilities could expose hospitals, stadiums, and airports to attacks, according to the researcher.

In a real world attack scenario — depending on what the targeted building management system is used for — the vulnerabilities can allow an attacker to tamper with lights, HVAC systems, water pressure, doors, sensors, and industrial control systems (ICS), Krstic said.

Save the date: 2025 ICS Cyber Security Conference – October 27-30, Atlanta

The issues were reported to ABB in the spring of 2024 and the vendor recently released patches and published advisories. An advisory has also been published by the US cybersecurity agency CISA for the Aspect vulnerabilities. 

However, Krstic said he is displeased with the way ABB handled the disclosure process, and at one point he decided to no longer report his findings directly to the vendor and instead disclose them through CISA and CERT/CC’s Vulnerability Information and Coordination Environment (VINCE) due to frustration over silent patching and the lack of proper public acknowledgement from ABB.

The researcher is also displeased with the fact that ABB has only assigned roughly two dozen CVE identifiers to the vulnerabilities. He told SecurityWeek that he believes more than 100 CVEs should have been assigned, with CVEs for each impacted file and attack vector, rather than one CVE for each type of vulnerability. 

Krstic’s analysis targeted hundreds of PHP and Java files and multiple vulnerabilities have been found in some of these files, totaling over 1,000 issues. 

The researcher has to date published more than 70 individual advisories, but the total number of advisories for these vulnerabilities is expected to reach 150. 

SecurityWeek has reached out to ABB for comment, but the company has not responded [the company sent over a statement after the article was published and it has been added at the end]. 

ABB added the Aspect and FLXeon products to its portfolio following the acquisition of Cylon Controls back in 2020. Based on Krstic’s analysis and observations, the codebase of the impacted building management system products is 19 years old and ABB only started improving their security four years after acquiring Cylon. 

UPDATE: Minutes after the article was published, ABB sent over the following statement:

“At ABB, we are committed to providing products, systems, and services with robust cyber security measures. Proper and timely handling of cyber security incidents and vulnerabilities is critical to minimizing risks for our customers. To support this, ABB has established a formal vulnerability handling policy, publicly available here.

Anyone who discovers a vulnerability affecting an ABB solution is encouraged to contact ABB directly at ‘[email protected]’ or report it through a national CERT or other coordinating organization. Reporting entities who wish not to remain anonymous will be acknowledged in ABB advisories issued for the reported vulnerability. ABB cyber security advisories are publicly available here.

ABB greatly values the contributions of security researchers and other collaborators in strengthening the cyber security of our solutions.”

Related: Exploited Building Access System Vulnerability Patched 5 Years After Disclosure

Related: Four-Faith Industrial Router Vulnerability Exploited in Attacks

Related: Rockwell PowerMonitor Vulnerabilities Allow Remote Hacking of Industrial Systems