VARIoT IoT vulnerabilities database
| VAR-202505-4019 | CVE-2025-30172 | ABB multiple products code injection vulnerability (CNVD-2025-13765) |
CVSS V2: 6.8 CVSS V3: 8.0 Severity: High |
Remote Code Execution vulnerabilities are present in ASPECT if session administrator credentials become compromised
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB ASPECT-Enterprise is a scalable building energy management and control solution. ABB NEXUS Series is a monitoring and management system. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications.
ABB has a code injection vulnerability in many products that can be exploited by attackers to execute code
| VAR-202505-3492 | CVE-2025-30170 | ABB multiple product information leakage vulnerability (CNVD-2025-13766) |
CVSS V2: 6.8 CVSS V3: 5.5 Severity: Medium |
Exposure of file path, file size or file existence vulnerabilities in ASPECT provide attackers access to file system information if session administrator credentials become compromised.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB ASPECT-Enterprise is a scalable building energy management and control solution. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications
| VAR-202505-3302 | CVE-2025-30169 | ABB multiple product code issues vulnerability (CNVD-2025-13598) |
CVSS V2: 8.0 CVSS V3: 6.7 Severity: Medium |
File upload and execute vulnerabilities in ASPECT allow PHP script injection if session administrator credentials become compromised.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB ASPECT-Enterprise is a scalable building energy management and control solution. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications.
ABB has a code issue vulnerability in many products that can be exploited by attackers to cause PHP script injection
| VAR-202505-2576 | CVE-2024-9639 | ABB multiple products code injection vulnerability (CNVD-2025-13767) |
CVSS V2: 6.8 CVSS V3: 8.0 Severity: High |
Remote Code Execution vulnerabilities are present in ASPECT if session administra-tor credentials become compromised.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB ASPECT-Enterprise is a scalable building energy management and control solution. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications
| VAR-202505-4267 | CVE-2024-13931 | Path traversal vulnerabilities in multiple ABB products |
CVSS V2: 8.3 CVSS V3: 7.2 Severity: High |
Relative Path Traversal vulnerabilities in ASPECT allow access to file resources if session administrator credentials become compromised.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB ASPECT-Enterprise is a scalable building energy management and control solution. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications
| VAR-202505-4073 | CVE-2024-13930 | ABB products have unidentified vulnerabilities |
CVSS V2: 6.1 CVSS V3: 4.9 Severity: Medium |
An Unchecked Loop Condition in ASPECT provides an attacker the ability to maliciously consume system resources if session administrator credentials become compromised
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB ASPECT-Enterprise is a scalable building energy management and control solution. ABB NEXUS Series is a monitoring and management system. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications.
There are security vulnerabilities in multiple ABB products. The vulnerability is caused by unchecked loop conditions. Attackers can exploit this vulnerability to cause system resource consumption
| VAR-202505-2599 | CVE-2024-13929 | ABB products Servlet injection vulnerability |
CVSS V2: 8.3 CVSS V3: 7.2 Severity: High |
Servlet injection vulnerabilities in ASPECT allow remote code execution if session administrator credentials become compromised.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB ASPECT-Enterprise is a scalable building energy management and control solution. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications
| VAR-202505-3719 | CVE-2024-13928 | ABB products have SQL injection vulnerabilities (CNVD-2025-13770) |
CVSS V2: 8.3 CVSS V3: 7.2 Severity: High |
SQL injection vulnerabilities in ASPECT allow unintended access and manipulation of database repositories if session administrator credentials become compromised.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB ASPECT-Enterprise is a scalable building energy management and control solution. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications
| VAR-202505-3882 | CVE-2024-48853 | ABB products have privilege escalation vulnerabilities |
CVSS V2: 7.6 CVSS V3: 9.0 Severity: Critical |
An escalation of privilege vulnerability in ASPECT could provide an attacker root access to a server when logged in as a "non" root ASPECT user. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications. ABB ASPECT and others are products of ABB of Switzerland. ABB ASPECT is a scalable building energy management and control solution. ABB MATRIX is an embedded building automation network controller. ABB NEXUS is a wireless and wired solution.
Many ABB products have a denial of service vulnerability, which is caused by disk overuse. Attackers can exploit this vulnerability to cause system resource exhaustion
| VAR-202505-4062 | CVE-2024-48850 | ABB Multiple Product Catalog Traversal Vulnerabilities |
CVSS V2: 8.3 CVSS V3: 7.2 Severity: High |
Absolute File Traversal vulnerabilities in ASPECT allows access and modification of unintended resources.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. ABB ASPECT-Enterprise is a scalable building energy management and control solution. ABB MATRIX Series is an embedded IoT ASPECT control engine designed to provide flexible field control for medium to large field control applications
| VAR-202505-2005 | CVE-2025-5080 | Shenzhen Tenda Technology Co.,Ltd. of fh451 Out-of-bounds write vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: High |
A vulnerability classified as critical has been found in Tenda FH451 1.0.0.9. Affected is the function webExcptypemanFilter of the file /goform/webExcptypemanFilter. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Shenzhen Tenda Technology Co.,Ltd. of fh451 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. An attacker can exploit this vulnerability to execute code
| VAR-202505-3817 | CVE-2025-3945 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in inserting or changing arguments in |
CVSS V2: - CVSS V3: 7.2 Severity: HIGH |
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows Command Delimiters. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state
| VAR-202505-3461 | CVE-2025-3944 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in improper permission assignment for critical resources in |
CVSS V2: - CVSS V3: 7.2 Severity: HIGH |
Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows File Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state
| VAR-202505-3074 | CVE-2025-3943 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in |
CVSS V2: - CVSS V3: 4.1 Severity: MEDIUM |
Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11
| VAR-202505-2874 | CVE-2025-3942 | Tridium of Niagara and Niagara Enterprise Security Encoding and escaping vulnerabilities in |
CVSS V2: - CVSS V3: 4.3 Severity: MEDIUM |
Improper Output Neutralization for Logs vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11
| VAR-202505-3274 | CVE-2025-3941 | Tridium of Niagara and Niagara Enterprise Security Incorrectly resolved name and reference usage vulnerabilities in |
CVSS V2: - CVSS V3: 5.4 Severity: MEDIUM |
Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. Tridium of Niagara and Niagara Enterprise Security There is a vulnerability in the use of incorrectly resolved names and references.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202505-3992 | CVE-2025-3940 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in |
CVSS V2: - CVSS V3: 5.3 Severity: MEDIUM |
Improper Use of Validation Framework vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state
| VAR-202505-3275 | CVE-2025-3939 | Tridium of Niagara and Niagara Enterprise Security Vulnerability regarding observable inconsistencies in |
CVSS V2: - CVSS V3: 5.3 Severity: MEDIUM |
Observable Response Discrepancy vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11
| VAR-202505-2532 | CVE-2025-3938 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in using cryptographic algorithms in |
CVSS V2: - CVSS V3: 6.8 Severity: MEDIUM |
Missing Cryptographic Step vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state
| VAR-202505-2694 | CVE-2025-3937 | Tridium of Niagara and Niagara Enterprise Security Vulnerability related to the use of insufficiently strong password hashes in |
CVSS V2: - CVSS V3: 7.7 Severity: HIGH |
Use of Password Hash With Insufficient Computational Effort vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state