ABB Cylon Aspect 3.08.03 (productRemovalUpdate.php) Remote Code Execution

May 23, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title ABB Cylon Aspect 3.08.03 (productRemovalUpdate.php) Remote Code Execution
Exploit ID ZSL-2025-5945
Type zeroscience
Published 2025-05-22T00:00:00
Modified 2025-05-22T00:00:00

CVSS Information

CVSS Score 0.0
Severity NONE
Vector NONE

CVE Information

Exploit Description

Title: ABB Cylon Aspect 3.08.03 (productRemovalUpdate.php) Remote Code Execution Advisory ID: ZSL-2025-5945 Type: Local/Remote Impact: System…

Exploit Code

ABB Cylon Aspect 3.08.03 (productRemovalUpdate.php) Remote Code Execution

Vendor: ABB Ltd.

Product web page: https://www.global.abb

Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio

Firmware: <=3.08.03

Summary: ASPECT is an award-winning scalable building energy management

and control solution designed to allow users seamless access to their

building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an authenticated blind OS command

injection vulnerability. This can be exploited to inject and execute arbitrary

shell commands through the ‘instance’ HTTP POST parameter called by the

productRemovalUpdate.php script. The token (key POST param) needs to be set

to 159 to trigger the command execution.

Tested on: GNU/Linux 3.15.10 (armv7l)

GNU/Linux 3.10.0 (x86_64)

GNU/Linux 2.6.32 (x86_64)

Intel(R) Atom(TM) Processor E3930 @ 1.30GHz

Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz

PHP/7.3.11

PHP/5.6.30

PHP/5.4.16

PHP/4.4.8

PHP/5.3.3

AspectFT Automation Application Server

lighttpd/1.4.32

lighttpd/1.4.18

Apache/2.2.15 (CentOS)

OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)

OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

ErgoTech MIX Deployment Server 2.0.0

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic

@zeroscience

Advisory ID: ZSL-2025-5945

Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5945.php

21.04.2024

$ cat project

P R O J E C T

.|

| |

|’| ._____

___ | | |. |’ .—“|

_ .-‘ ‘-. | | .–‘| || | _| |

.-‘| _.| | || ‘-__ | | | || |

|’ | |. | || | | | | || |

____| ‘-‘ ‘ “” ‘-‘ ‘-.’ ‘` |____

░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░

░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░

$ curl http://192.168.73.31/productRemovalUpdate.php \

> -H “Cookie: PHPSESSID=xxx” \

> -d “key=159&instance=`sleep 7`”

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.