ABB Cylon Aspect 3.08.03 (logYumLookup.php) Hybrid Path Traversal

May 23, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title ABB Cylon Aspect 3.08.03 (logYumLookup.php) Hybrid Path Traversal
Exploit ID ZSL-2025-5948
Type zeroscience
Published 2025-05-22T00:00:00
Modified 2025-05-22T00:00:00

CVSS Information

CVSS Score 0.0
Severity NONE
Vector NONE

CVE Information

Exploit Description

Title: ABB Cylon Aspect 3.08.03 (logYumLookup.php) Hybrid Path Traversal Advisory ID: ZSL-2025-5948 Type: Local/Remote Impact:…

Exploit Code

ABB Cylon Aspect 3.08.03 (logYumLookup.php) Hybrid Path Traversal

Vendor: ABB Ltd.

Product web page: https://www.global.abb

Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio

Firmware: <=3.08.03

Summary: ASPECT is an award-winning scalable building energy management

and control solution designed to allow users seamless access to their

building data through standard building protocols including smart devices.

Desc: The ABB Cylon Aspect BAS controller is vulnerable to an authenticated

hybrid path traversal vulnerability in logYumLookup.php due to insufficient

validation of the logFile parameter. The script checks for the presence

of an expected path (/var/log/yum.log) using strpos(), which can be bypassed

by appending directory traversal sequences. This allows an authenticated

attacker to read arbitrary files on the system, potentially exposing sensitive

configuration files, credentials, or logs. The issue stems from a lack of proper

path normalization and strict path validation, enabling attackers to escape

the intended directory restriction.

Tested on: GNU/Linux 3.15.10 (armv7l)

GNU/Linux 3.10.0 (x86_64)

GNU/Linux 2.6.32 (x86_64)

Intel(R) Atom(TM) Processor E3930 @ 1.30GHz

Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz

PHP/7.3.11

PHP/5.6.30

PHP/5.4.16

PHP/4.4.8

PHP/5.3.3

AspectFT Automation Application Server

lighttpd/1.4.32

lighttpd/1.4.18

Apache/2.2.15 (CentOS)

OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)

OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

ErgoTech MIX Deployment Server 2.0.0

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic

@zeroscience

Advisory ID: ZSL-2025-5948

Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5948.php

21.04.2024

$ cat project

P R O J E C T

.|

| |

|’| ._____

___ | | |. |’ .—“|

_ .-‘ ‘-. | | .–‘| || | _| |

.-‘| _.| | || ‘-__ | | | || |

|’ | |. | || | | | | || |

____| ‘-‘ ‘ “” ‘-‘ ‘-.’ ‘` |____

░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░

░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░

$ curl “http://192.168.73.31/logYumLookup.php?logFile=/var/log/yum.log../../../../etc/passwd” \

> -H “Cookie: PHPSESSID=xxx”

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.