Cybersecurity expert Gjoko Krstikj, a recognized contributor to the IT.MK forum under the username “liquidworm,” recently disclosed alarming vulnerabilities in ABB products. Krstikj, who has a distinguished background in securing large-scale facility management systems, identified over 1,000 vulnerabilities in products manufactured by ABB, a leading company in the electrification and automation sector.
These vulnerabilities could potentially allow for remote attacks and affect ABB’s Cylon FLXeon and ABB Cylon Aspect systems, which are widely used for energy management and building control.
“In my analysis, I identified over 1,000 vulnerabilities within the Aspect system, many of which were classified as critical and high severity. Additionally, I discovered 35 security vulnerabilities in the FLXeon system,” Krstikj told Security Week.
Remote control of infrastructure
These vulnerabilities encompass a broad spectrum of security risks, including unauthorized file access and modification, cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, denial-of-service (DoS), and numerous others. Of particular concern is that some of these vulnerabilities can be exploited remotely without authentication, potentially granting an attacker complete control over the affected systems.
Krstikj highlights that these vulnerabilities could be leveraged to manipulate critical infrastructure components such as lighting, HVAC systems, water supply, doors, and industrial control systems. This poses a significant risk to facilities like hospitals, stadiums, and airports.
ABB has advised users to avoid exposing these systems to the internet. However, Krstikj estimates that approximately 1,000 facilities globally have these systems exposed and are consequently vulnerable to attack. He initially reported the vulnerabilities to ABB in the spring of 2024. ABB has since addressed the vulnerabilities and released security advisories, including recommendations from CISA for Aspect systems.
However, Krstikj expressed dissatisfaction with the reporting process, alleging that ABB engaged in “silent patching” and failed to provide public recognition for his findings. He also noted that ABB assigned only approximately two dozen CVE tags, whereas his analysis indicated that over 100 were warranted. Krstikj conducted an extensive analysis of hundreds of PHP and Java files, resulting in over 70 individual vulnerability reports, with an anticipated total exceeding 150. He asserts that the analyzed files contain at least 1,000 vulnerabilities.
ABB’s response
In response to the research findings, ABB released an official statement reaffirming their commitment to delivering products with robust cybersecurity measures. They strongly encouraged researchers to disclose vulnerabilities directly to the company or through national CERT organizations.
The statement read: “At ABB, we are dedicated to providing products, systems, and services that incorporate stringent cybersecurity measures. The prompt and proper management of cybersecurity incidents and vulnerabilities is essential for mitigating risks to our customers. To support this practice, ABB has established a publicly available formal vulnerability management policy.
We urge anyone who identifies a vulnerability affecting ABB solutions to contact ABB directly at [email protected] or report it through a national CERT or other coordinating organization. Individuals who choose to disclose their identities will be acknowledged in the guidance ABB issues for reported vulnerabilities. ABB’s cybersecurity advisories are publicly accessible on our website.”
