CVE-2024-6298
Published: 05 July 2024
Summary
CVE-2024-6298 is a critical-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability in Abb Aspect-Ent-12 Firmware. Its CVSS base score is 9.4 (Critical).
Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-6298 is an unauthorized file access vulnerability in the web server component of ABB ASPECT Enterprise, NEXUS Series, and MATRIX Series version 3.08.01. The flaw, tracked under CWE-1287, permits remote arbitrary code execution and carries a CVSS 4.0 score of 9.4 reflecting critical impact across confidentiality, integrity, and availability.
An attacker with adjacent-network access and no credentials or user interaction can exploit the issue to read arbitrary files and execute code on the affected system. The attack requires only network adjacency and succeeds against unpatched installations of the listed ABB building-automation products.
ABB has published security advisories (document 9AKK108469A7497) that direct customers to updated firmware or configuration guidance; the references are available from the ABB library links provided in the CVE record.
EPSS for the CVE rose from a low baseline to a peak of 0.3497 (current value 0.2594), indicating measurable post-disclosure exploitation interest that warrants renewed monitoring.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47993
Vulnerability details
Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series v3.08.01 allows Attacker to execute arbitrary code remotely
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.