Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-13946

CWE-427CWE-668Exposure to Wrong SphereCWE-200Information Exposure6 documents6 sources
Severity
7.1HIGH
EPSS
1.1%
top 21.83%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
ABB Aspect-enterpriseABB Matrix SeriesABB Nexus Series
Timeline
PublishedMay 22
Latest updateMay 25

Description

DLL's are not digitally signed when loaded in ASPECT's configuration toolset exposing the application to binary planting during device commissioning.This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

Affected Packages3 packages

CVEListV5abb/nexus_series3.*
CVEListV5abb/matrix_series3.*
CVEListV5abb/aspect-enterprise3.*

🔴Vulnerability Details

3
CVEList
Binary Planting / LoadLibrary DLL's not Signed2025-05-22
GHSA
GHSA-9g48-983j-g56m: DLL's are not digitally signed when loaded in ASPECT's configuration toolset exposing the application to binary planting during device commissioning2025-05-22
GHSA
Apache Cassandra: unrestricted deserialization of JMX authentication credentials2025-02-04

💥Exploits & PoCs

1
Exploit-DB
ABB Cylon Aspect Studio 3.08.03 - Binary Planting2025-05-25

📋Vendor Advisories

1
Red Hat
org.apache.cassandra:cassandra-all: Apache Cassandra: unrestricted deserialization of JMX authentication credentials2025-02-04