Cyber Resilience

CVE-2024-6298

Critical

Published: 05 July 2024

Published
05 July 2024
Modified
05 December 2024
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:I/V:C/RE:H/U:Red
EPSS Score 0.2594 96.4th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6298 is a critical-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability in Abb Aspect-Ent-12 Firmware. Its CVSS base score is 9.4 (Critical).

Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-6298 is an unauthorized file access vulnerability in the web server component of ABB ASPECT Enterprise, NEXUS Series, and MATRIX Series version 3.08.01. The flaw, tracked under CWE-1287, permits remote arbitrary code execution and carries a CVSS 4.0 score of 9.4 reflecting critical impact across confidentiality, integrity, and availability.

An attacker with adjacent-network access and no credentials or user interaction can exploit the issue to read arbitrary files and execute code on the affected system. The attack requires only network adjacency and succeeds against unpatched installations of the listed ABB building-automation products.

ABB has published security advisories (document 9AKK108469A7497) that direct customers to updated firmware or configuration guidance; the references are available from the ABB library links provided in the CVE record.

EPSS for the CVE rose from a low baseline to a peak of 0.3497 (current value 0.2594), indicating measurable post-disclosure exploitation interest that warrants renewed monitoring.

EU & UK References

Vulnerability details

Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series v3.08.01 allows Attacker to execute arbitrary code remotely

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

abb
aspect-ent-12 firmware
≤ 3.08.01
abb
aspect-ent-2 firmware
≤ 3.08.01
abb
aspect-ent-256 firmware
≤ 3.08.01
abb
aspect-ent-96 firmware
≤ 3.08.01
abb
nexus-2128 firmware
≤ 3.08.01
abb
nexus-2128-a firmware
≤ 3.08.01
abb
nexus-2128-f firmware
≤ 3.08.01
abb
nexus-2128-g firmware
≤ 3.08.01
abb
nexus-264 firmware
≤ 3.08.01
abb
nexus-264-a firmware
≤ 3.08.01
+9 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References