ABB has issued a comprehensive cybersecurity advisory revealing 32 security vulnerabilities impacting its ASPECT Building Management System β including several high-severity flaws enabling remote code execution and privilege escalation.
In a newly published advisory dated May 22, 2025, ABB warned of multiple security flaws in the ASPECT platform (version β€3.08.03), including the ASPECT-Enterprise, NEXUS Series, and MATRIX Series devices. While many of the vulnerabilities have been addressed in version 3.08.04, ABB explicitly stated, βAt the moment there are no plans of corrective measures for remaining vulnerabilities in the affected products.β
ABBβs advisory catalogues 32 vulnerabilities, ranging from privilege escalation to insecure file handling and weak password storage. Among the most critical issues:
CVE-2024-48853 (CVSS v4.0 score: 9.5): Authenticated Privilege Escalation β A flaw allowing an authenticated guest user to escalate privileges to root. βAn escalation of privilege vulnerability in ASPECT could provide an attacker root access to a server when logged in as a βnon-rootβ ASPECT user,β ABB reported.
CVE-2024-9639 (CVSS v4.0 score: 7.5): Authenticated Remote Code Execution (RCE) β Allows code injection if administrator credentials are compromised.
CVE-2025-2410 & CVE-2025-2409: Admin Port Manipulation & System File Corruption β Attackers can open/close ports and overwrite critical system files. βThis issue affects ASPECT <= 3.08.03,β noted ABB, warning of potential port-level attacks if session credentials are exposed.
Both rated CVSS v3.1: 9.1
CVE-2024-13952 (CVSS v4.0: 8.7): Remote Code Execution β An unpatched RCE vulnerability that remains unresolved due to end-of-support status.
βAn attacker who successfully exploits this vulnerability might be able to tamper with data and compromise integrity,β ABB warns in its impact assessment. In total, 19 of the 32 CVEs are marked as having no planned fixes, leaving legacy systems potentially exposed.
ASPECT is a legacy on-premises BMS solution that ABB is actively phasing out. βABB has decided to replace ASPECT and will introduce customers to a new solution based on the latest Industry level cyber security standards,β the advisory stated. βCustomers who have concerns about continuing the operation of ASPECT may contact ABB sales service to become advised about further support options.β
While ABB assures that βASPECT devices are not intended to be internet-facingβ, misconfigurations and exposure via port forwarding or direct ISP access remain prevalent risks.
ABB strongly advises all customers to take the following steps:
Disconnect ASPECT devices from direct internet exposure immediately.
Ensure ASPECT is behind a secure VPN gateway and firewall.
Change default credentials and restrict physical and remote access to trusted personnel only.
Upgrade all systems to firmware version 3.08.04 where patches are available.
Avoid operating ASPECT in unsecured network segments.