Details of VAR-202505-3882

ID

VAR-202505-3882

CVE

CVE-2024-48853

TITLE

ABB products have privilege escalation vulnerabilities

Trust: 0.6

sources: CNVD: CNVD-2025-13773

DESCRIPTION

An escalation of privilege vulnerability in ASPECT could provide an attacker root access to a server when logged in as a "non" root ASPECT user. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications. ABB ASPECT and others are products of ABB of Switzerland. ABB ASPECT is a scalable building energy management and control solution. ABB MATRIX is an embedded building automation network controller. ABB NEXUS is a wireless and wired solution. Many ABB products have a denial of service vulnerability, which is caused by disk overuse. Attackers can exploit this vulnerability to cause system resource exhaustion

Trust: 3.06

sources: NVD: CVE-2024-48853 // CNVD: CNVD-2025-13773 // CNVD: CNVD-2025-13775 // CNVD: CNVD-2025-13731 // CNVD: CNVD-2025-13776

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 2.4

sources: CNVD: CNVD-2025-13773 // CNVD: CNVD-2025-13775 // CNVD: CNVD-2025-13731 // CNVD: CNVD-2025-13776

AFFECTED PRODUCTS

vendor:	abb	model:	aspect-enterprise	scope:	lte	version:	<=3.08.03	Trust: 2.4
vendor:	abb	model:	nexus series	scope:	lte	version:	<=3.08.03	Trust: 2.4
vendor:	abb	model:	matrix series	scope:	lte	version:	<=3.08.03	Trust: 2.4

sources: CNVD: CNVD-2025-13773 // CNVD: CNVD-2025-13775 // CNVD: CNVD-2025-13731 // CNVD: CNVD-2025-13776

CVSS

SEVERITY

CVSSV2

CVSSV3

cybersecurity@ch.abb.com:	CVE-2024-48853
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2025-13773
value:	HIGH
Trust: 0.6
CNVD:	CNVD-2025-13775
value:	MEDIUM
Trust: 0.6
CNVD:	CNVD-2025-13731
value:	MEDIUM
Trust: 0.6
CNVD:	CNVD-2025-13776
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-13773
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2025-13775
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2025-13731
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2025-13776
severity:	HIGH
baseScore:	7.3
vectorString:	AV:N/AC:L/AU:M/C:C/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.4
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cybersecurity@ch.abb.com:	CVE-2024-48853
baseSeverity:	CRITICAL
baseScore:	9.0
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	6.0
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-13773 // CNVD: CNVD-2025-13775 // CNVD: CNVD-2025-13731 // CNVD: CNVD-2025-13776 // NVD: CVE-2024-48853

PROBLEMTYPE DATA

problemtype:

CWE-286

Trust: 1.0

sources: NVD: CVE-2024-48853

PATCH

title:	Patch for ABB products have privilege escalation vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/702311	Trust: 0.6
title:	Patch for ABB products predict file name vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/702321	Trust: 0.6
title:	Patch for Denial of Service Vulnerabilities in Multiple ABB Products	url:	https://www.cnvd.org.cn/patchInfo/show/702326	Trust: 0.6
title:	Patch for ABB products have weak password storage vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/702336	Trust: 0.6

sources: CNVD: CNVD-2025-13773 // CNVD: CNVD-2025-13775 // CNVD: CNVD-2025-13731 // CNVD: CNVD-2025-13776

EXTERNAL IDS

db:	NVD	id:	CVE-2024-48853	Trust: 3.4
db:	CNVD	id:	CNVD-2025-13773	Trust: 0.6
db:	CNVD	id:	CNVD-2025-13775	Trust: 0.6
db:	CNVD	id:	CNVD-2025-13731	Trust: 0.6
db:	CNVD	id:	CNVD-2025-13776	Trust: 0.6

sources: CNVD: CNVD-2025-13773 // CNVD: CNVD-2025-13775 // CNVD: CNVD-2025-13731 // CNVD: CNVD-2025-13776 // NVD: CVE-2024-48853

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2024-48853	Trust: 1.8
url:	https://search.abb.com/library/download.aspx?documentid=9akk108471a0021&languagecode=en&documentpartid=pdf&action=launch	Trust: 1.6

sources: CNVD: CNVD-2025-13773 // CNVD: CNVD-2025-13775 // CNVD: CNVD-2025-13731 // CNVD: CNVD-2025-13776 // NVD: CVE-2024-48853

SOURCES

db:	CNVD	id:	CNVD-2025-13773
db:	CNVD	id:	CNVD-2025-13775
db:	CNVD	id:	CNVD-2025-13731
db:	CNVD	id:	CNVD-2025-13776
db:	NVD	id:	CVE-2024-48853

LAST UPDATE DATE

2025-06-27T23:08:26.012000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-13773	date:	2025-06-26T00:00:00
db:	CNVD	id:	CNVD-2025-13775	date:	2025-06-26T00:00:00
db:	CNVD	id:	CNVD-2025-13731	date:	2025-06-26T00:00:00
db:	CNVD	id:	CNVD-2025-13776	date:	2025-06-26T00:00:00
db:	NVD	id:	CVE-2024-48853	date:	2025-05-23T15:55:02.040

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-13773	date:	2025-06-26T00:00:00
db:	CNVD	id:	CNVD-2025-13775	date:	2025-06-26T00:00:00
db:	CNVD	id:	CNVD-2025-13731	date:	2025-06-26T00:00:00
db:	CNVD	id:	CNVD-2025-13776	date:	2025-06-26T00:00:00
db:	NVD	id:	CVE-2024-48853	date:	2025-05-22T17:15:23.243