Austin, TX, USA, 4th February 2025, CyberNewsWire

**Austin, TX, USA, February 4th, 2025, CyberNewsWire**

SpyCloud’s Identity Threat Protection solutions spearhead a holistic identity approach to security, illuminating correlated hidden identity exposures and facilitating fast, automated remediation.

SpyCloud, a leading identity threat protection company, announced key innovations in its portfolio, pioneering the shift to holistic identity threat protection. By operationalizing its vast collection of darknet data with automated identity analytics that correlate malware, phishing, and breach exposures across individuals’ past and present work and personal personas, SpyCloud enables security and fraud prevention teams to comprehensively uncover hidden identity assets, rapidly remediate exposures, and better protect their businesses from previously unseen threats.  

Identity security vendors have focused narrowly on securing corporate accounts, leaving organizations vulnerable to cybercriminals exploiting the broader identity exposures of employees, consumers, and suppliers. A shift to an identity-centric perspective is needed, particularly as the scope of identity exposures continues to grow. SpyCloud research reveals that the average individual has as many as 52 unique usernames/emails and 221 passwords exposed on the darknet across their online personal and professional identities. 

The impact of these exposures is evident: nearly a quarter of data breaches resulted from compromised identity data. Credential attacks led to $4.81 million in related costs per breach and took the longest to identify and contain. 

SpyCloud’s holistic identity threat protection addresses these challenges by encompassing the full spectrum of an individual’s online presence. This innovative approach empowers security teams to proactively protect against previously unseen risks, including the darknet exposures of identity and authentication data stolen about employees, consumers, and suppliers that have been beyond their visibility to date. 

> “The cybersecurity industry has spent years and billions of dollars securing accounts, but criminals have moved far beyond account-level access,” said **Ted Ross, SpyCloud’s CEO and Co-Founder**. “The dirty secret of the identity security industry is that efforts to lock down the perimeter fail because they focus on accounts, while bad actors target the full scope of users’ holistic identities. These sprawling identities, exposed through breaches, infostealer infections, and phishing attacks, create shadow data that traditional tools simply can’t address. ”

> Ross continued, “SpyCloud changes the dynamic by providing unmatched visibility into the same data criminals are exploiting, enabling organizations to remediate exposures across the entirety of users’ online personas. This shifts the advantage back to security leaders, empowering them to act on threats that were previously beyond their reach.”

**Key Innovations Underpinning SpyCloud’s Holistic Identity Threat Protection** 

*   **Refined analytics driving actionability on exposed identities:** SpyCloud applies advanced data science and proprietary technology to dynamically correlate billions of recaptured darknet data points, providing a broader and more accurate view of identities. By connecting authentication data, financial data, and personally identifiable information (PII), SpyCloud uncovers hidden relationships across seemingly unrelated accounts, continuously and at scale.
*   **Automated remediation in <15 minutes:** SpyCloud’s holistic identity portfolio now enables rapid, automated remediation within enterprise security ecosystems, including EDR, IdP, SOAR, and SIEM tools. This allows security teams to neutralize threats in less than 15 minutes of discovery, reducing risk without straining resources or operational bandwidth.
*   **Malware reverse engineering to combat ransomware:** SpyCloud specializes in the tracking and analyzing of malware – with deep insights into pervasive infostealers such as Lumma C2, Redline Stealer, Vidar, and more – as they are often a precursor to ransomware. Through its advanced malware reverse analysis, SpyCloud provides comprehensive visibility into malware-exposed data, helping organizations identify compromised devices, users, and applications and closes critical security gaps, including those stemming from unmanaged or under-managed devices used by employees, contractors, and vendors.
*   **Accelerated cybercrime investigations:** SpyCloud’s Investigations solution, used by cyber threat intelligence (CTI) teams, security operations, fraud and risk prevention analysts, and law enforcement globally, includes automated identity analytics to uncover the full scope of digital identity exposures, accelerating complex cybercrime investigations into threat actor attribution, insider risk (including potential hiring fraud), and supply chain risk analysis from days or hours to minutes.

**SpyCloud’s Capabilities Set a New Standard for Identity Security**

SpyCloud champions the transition to holistic identity security, backed by nearly a decade of experience and the industry’s largest repository of recaptured breach, malware-exfiltrated, and successfully phished data. Its holistic identity lens reveals a comprehensive view of exposed identity information – from credentials and PII to financial data and sensitive digital artifacts.

> “SpyCloud’s innovative identity threat protection is about as important as it gets in cyber; identity is **everything**,” said **John N. Stewart, SpyCloud Board Member and former Chief Security and Trust Officer of Cisco.** “By making it possible to view and act on the world’s best source for identity exposures, SpyCloud raised the bar to the top for proactive defense against all types of identity-driven cyber exploitation.”

> “We are redefining identity security by making holistic protection practical and achievable for our customers,” added **Damon Fleury, SpyCloud’s Chief Product Officer.** “SpyCloud has a long history of leading the way in understanding the cybercrime ecosystem, from our early days in world-class ATO prevention to continuing to build solutions that empower organizations to proactively protect against threats stemming from infostealer malware, phished and breach data.” 

> Fleury continued, “This evolution to make holistic identity threat protection a reality for enterprises is critical to our mission of disrupting cybercrime. We aim to stop identity-based threats once and for all.”

To learn more, users can contact SpyCloud or view the following resources:

*   The Holistic Identity Frontier: Why Shift from account-centric Security to holistic identity threat protection
*   Stop identity-based cybercrimes once and for all

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

**Contact**

**Public Relations**  
**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Pioneers the Shift to Holistic Identity Threat Protection

Taiwan has become the latest country to ban government agencies from using Chinese startup DeepSeek's Artificial Intelligence (AI) platform, citing security risks.
"Government agencies and critical infrastructure should not use DeepSeek, because it endangers national information security," according to a statement released by Taiwan's Ministry of Digital Affairs, per Radio Free Asia.
"DeepSeek

Taiwan Bans DeepSeek AI Over National Security Concerns, Citing Data Leakage Risks

An investigation into more than 300 cyberattacks against US K–12 schools over the past five years shows how schools can withhold crucial details from students and parents whose data was stolen.

Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden

PRESS RELEASE

WASHINGTON, Jan. 30, 2025 /PRNewswire/ -- DNSFilter announced today the release of its 2025 Annual Security Report, showcasing an uptick in malicious requests from 2023 to 2024. At internet scale, threats are relentless, but so is the right combination of intel and security strategy. Each malicious request blocked represents a real attack prevented, real harm avoided and real people and organizations protected.

The DNSFilter network processes about 170 billion DNS queries daily, 200 million of which are categorized as threats and blocked. These numbers represent phishing campaigns that never reached their targets, ransomware that never infiltrated networks and malware that never had the chance to spread.

Key findings from the report include:

*   One in every 174 requests is malicious: Most people make 5,000 DNS requests daily, which means a single person could encounter as many as 29 threat inquiries in a single day. This represents a significant increase from last year's findings, where one in every 1,000 queries was a threat.
    
*   AI domains increased by 15% but drove a significant amount of traffic: DNSFilter's researchers found that between October 2023 and September 2024, overall traffic to AI-related sites increased 786% and the number of individual AI domains rose 15%. This shows that a small number of domains account for a significant amount of traffic.
    
*   Phishing queries increased by 203%: While the relative distribution of threats remained consistent over time, phishing and malware inquiries increased (up 14%). This is in-line with a marked increase in ransomware seen across the industry.
    

Ken Carnesi, CEO and co-founder, DNSFilter, said: "Even as the threat landscape changes, our mission remains the same: to defend organizations and people from the worst of the internet. The data from our report makes it clear that DNS continues to be a critical threat gateway. It's also a reminder of the crucial role DNSFilter fills as a frontline defender on the DNS layer. We'll continue to improve, innovate and stand in the gap between our customers and the real-world harm bad actors are trying to cause."

About the company:

DNSFilter is redefining how organizations secure their largest threat vector: the Internet itself. DNSFilter is making the Internet safer and workplaces more productive by blocking threats at the DNS layer. DNSFilter resolves upwards of 170 billion daily queries. With 79% of attacks using Domain Name System (DNS), DNSFilter provides the world's fastest protective DNS powered by AI, blocking threats an average of 10 days faster than traditional threat feeds. Over 35 million users trust DNSFilter to protect them from phishing, malware, and advanced cyber threats.

You May Also Like

DNSFilter's Annual Security Report Reveals Worrisome Spike in Malicious DNS Requests

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/cert endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the affected parameters. The issue arises due to improper input validation in cert.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

Title: ABB Cylon FLXeon 9.3.4 (cert.js) Authenticated Root Remote Code Execution  
Advisory ID: ZSL-2025-5911  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 03.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/cert endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the affected parameters. The issue arises due to improper input validation in cert.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[03.02.2025\] Coordinated public security advisory released.

**PoC**

abb\_flxeon\_rce5.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48841

**Changelog**

\[03.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (cert.js) Authenticated Root Remote Code Execution

PRESS RELEASE

MONTREAL, January 29, 2025 (Newswire.com) - Flare, the global leader in Threat Exposure Management, has introduced Flare Academy, an educational hub featuring interactive online training offered free-of-charge to cybersecurity professionals.

Led by Flare's team of subject matter experts, Flare Academy offers a variety of online training modules on the latest cybersecurity threats to enhance the education and knowledge of cybersecurity practitioners. These sessions will highlight a variety of important topics, including investigation and intelligence gathering on cybercrime forums, techniques for deanonymizing threat actors, and ransomware analysis and infiltration.

Through interactive training sessions, security professionals can upgrade their skills and knowledge on a variety of cybercrime and cybersecurity topics, and earn CPE credits toward security certifications. And with the Flare Academy Discord Community, members can build relationships with other practitioners for continuous learning and engagement.

"Flare Academy will provide cybersecurity professionals with access to training, collaborative discussions, and cutting-edge resources," said Mathieu Lavoie, CTO & Research Team Lead at Flare. "We've launched this program with the goal of helping to empower security professionals with the training and information they need to stay ahead of threats and build a stronger, safer digital world."

A number of training modules are currently available for registration, including:

For more information about Flare Academy, and to register for upcoming modules, visit https://flare.io/trainings/.

About Flare

Flare is the leader in Threat Exposure Management, helping organizations of all sizes detect high-risk exposure found on the clear and dark web. Combining the industry's best cybercrime database with an incredibly intuitive user experience, Flare enables customers to reclaim the information advantage and get ahead of threat actors. For more information, visit https://flare.io.

You May Also Like

Interactive Online Training for Cybersecurity Professionals; Earn CPE Credits

Adversaries looking to ride the DeepSeek interest wave are taking advantage of developers in a rush to deploy the new technology, by using AI-generated malware against them.

Source: ifeelstock via Alamy Stock Photo

Researchers have found malicious DeepSeek-impersonating packages planted in the Python Package Index (PyPi); the code is actually loaded with infostealers. Experts warn that's probably not the only platform loaded with fake, malicious DeepSeek packages, and that developers should proceed with care.

Researchers with Positive Technologies discovered the malicious packages, labeled "deepseekai" and "deepseeek," trying to trick developers into thinking they were legit.

"The attack targeted developers, machine learning \[ML\] engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems," the Positive Technologies researchers wrote in an analysis.

The account behind the attack, "bvk," was created in June 2023 and sat dormant until the campaign sprang to life on Jan. 29, according to the report. When executed, the researchers noted both "deepseeek" and "deepseekai" drop infostealers to steal sensitive data, including API keys, database credentials, and permissions.

The malicious PyPi packages have been deleted, but there's evidence they were downloaded 36 times using the pip package manager and the bandersnatch mirroring tool, and 186 times using the browser, the researchers reported.

"Sometimes API keys aren’t leaked, they’re just plain stolen," Tim Erlin, vice president of product at Wallarm says. "This incident is a good example of attackers taking advantage of the prevailing news cycle. Anytime you’re doing something popular, whether clicking on a link or installing a PyPi package, it’s best to approach the task with a healthy dose of skepticism."

Related:'Constitutional Classifiers' Technique Mitigates GenAI Jailbreaks

That mindset can help developers avoid making similar cybersecurity slip-ups, according to Mike McGuire, senior security solutions manager with Black Duck.

"In their eagerness to leverage DeepSeek in their tasks, many developers missed the 'red flag' that they were downloading packages from an account with a limited, poor reputation, and had their environment variables and secrets compromised as a result," McGuire says.

Ironically given how advanced DeepSeek's capabilities are touted to be, the attack itself was a fairly low-tech affair, Michael Lieberman, CTO at Kusari, notes.

"Typosquatting attacks are popular because they work," Kusari points out. "It's easy for a developer to mistype a word or use something with a similar-sounding name and suddenly their application is pulling in malicious code. Popular or trendy technologies are at particular risk since the pool of potential victims is larger."

Related:DeepSeek Jailbreak Reveals Its Entire System Prompt

**Adversaries Using AI to Write Code Faster Too**

In a novel twist, the researchers found evidence the threat actors used AI to write the malicious code.

"There are clear indications that the compromised code was written with AI assistance, providing a real-world example of AI being used for malicious intent," Wallarm's Erlin says.

Erlin adds that developers should expect similar malicious packages to be scattered among various platforms.

"Developers, with malintent or not, are heavily invested in using AI to be more efficient." he adds. "AI lets developers write more code, faster. We should expect to see the volume of malicious code expand at the same rate as code in general."

To protect their environments from these threats, Raj Mallempati, CEO of BlueFlag Security, says developers need to implement strong security practices throughout the software development lifecycle (SDLC). That means using software composition analysis (SCA) tools, as well as automated vulnerability scanning, limiting the use of unverified packages in developer environments, and threat intelligence monitoring.

"This recent incident underscores the need for developers to specifically protect against threats like OSS typosquatting," Mallempati explains. "Double checking package names and verifying package sources that come from DeepSeek will be key here. As well, developers should enable dependency scanning tools like Github dependabot to ensure they are not downloading malicious packages."

Related:Code-Scanning Tool's License at Heart of Security Breakup

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi

DeepSeek R1, a cost-efficient AI model, achieves impressive reasoning but fails all safety tests in a new study…

DeepSeek R1, a cost-efficient AI model, achieves impressive reasoning but fails all safety tests in a new study by Cisco’s Robust Intelligence. Researchers used algorithmic jailbreaking to demonstrate 100% vulnerability to harmful prompts, raising concerns about its training methods and the need for superior AI security measures.

Chinese start-up DeepSeek has gained attention for introducing large language models (LLMs) with advanced reasoning capabilities and cost-efficient training. Its recent releases DeepSeek R1-Zero and DeepSeek R1 have achieved performance comparable to leading models like OpenAI’s o1 at a fraction of the cost and outperformed Claude 3.5 Sonnet and ChatGPT-4o on tasks like math, coding, and scientific reasoning.

 However, the latest research from Robust Intelligence (now part of Cisco) and the University of Pennsylvania, shared with Hackread.com, reveals critical safety flaws.

Researchers reportedly collaborated to investigate the security of DeepSeek R1, a new reasoning model from the Chinese AI startup DeepSeek. The assessment cost was less than $50 and involved using an algorithmic validation methodology.

The team tested DeepSeek R1, OpenAI’s o1-preview, and other frontier models using an automated jailbreaking algorithm applied to 50 prompts from the HarmBench dataset. These prompts spanned six categories of harmful behaviour, including cybercrime, misinformation, illegal activities, and general harm. 

Their key metric was the Attack Success Rate (ASR), measuring the percentage of prompts that elicited harmful responses. The results were alarming: DeepSeek R1 exhibited a 100% attack success rate, failing to block a single harmful prompt. This contrasts sharply with other leading models, which demonstrated at least some level of resistance to such attacks. 

It is worth noting that researchers used a temperature setting of 0 for reproducibility and verified jailbreaks through automated methods and human oversight. DeepSeek R1’s 100% ASR starkly contrasts with o1, which successfully blocked many adversarial attacks. This suggests that DeepSeek R1 while achieving cost efficiencies in training, has significant trade-offs in safety and security.

Via Cisco’s Robust Intelligence

For your information, DeepSeek’s AI development strategy utilizes three core principles- Chain-of-thought” prompting, reinforcement learning, and distillation, which enhance its LLMs’ reasoning efficiency and self-evaluate reasoning processes.

As per Cisco’s investigation these strategies, while being cost-efficient, may have compromised the models’ safety mechanisms. Compared to other frontier models, DeepSeek R1 appears to lack effective guardrails, making it highly susceptible to algorithmic jailbreaking and potential misuse.  

The research emphasizes the need for rigorous security evaluation in AI development to balance efficiency and reasoning without compromising safety. It also highlights the significance of third-party guardrails for consistent security across AI applications.

Cisco Finds DeepSeek R1 Highly Vulnerable to Harmful Prompts

Dubai UAE, UAE, 3rd February 2025, CyberNewsWire

**Dubai UAE, UAE, February 3rd, 2025, CyberNewsWire**

Artificial Intelligence (AI) is widely recognized for its potential to impact industries and everyday life. Yet, access to AI-driven tools and development has often been confined to tech-savvy enterprises with significant financial resources. Builder.ai, however, is challenging this paradigm by democratizing AI for the next billion users. Its mission is to make AI-driven development accessible and affordable for underrepresented markets and developing countries, fostering innovation and inclusion in a rapidly digitalizing world.

**Bridging the Digital Divide**

In many developing areas, technological progress is hindered by the lack of resources, infrastructure, or expertise. Often, businesses or entrepreneurs in these locations find it tough to get in touch with any advanced tools for constructing software or utilising AI for any application. Builder.ai can bridge this gap by offering software development on a platform that lowers the cost and makes this process easy.

At the heart of the mission of Builder.ai is a belief that innovation should not be limited by geography, budget, or technical know-how. Users can create applications without writing a single line of code on its platform.

By automating much of the development process and using pre-built components, Builder.ai reduces costs and accelerates time-to-market—critical factors for startups and small businesses in resource-constrained environments.

**AI-Powered Accessibility**

Builder.ai’s platform leverages AI to streamline the development journey. From ideation to deployment, AI is at the heart of process optimization, predicting user needs, and delivering customized solutions. For example, its AI assistant, Natasha, assists users in articulating their requirements so that they are clearly stated and there is less chance of error. This is a goldmine for entrepreneurs in developing countries who do not have technical skills but have transformational ideas.

The transparency of pricing on the platform further eliminates barriers. Builder.ai allows users to plan their budgets effectively through upfront cost estimates, thus eliminating the financial unpredictability often associated with traditional software development. This feature is particularly beneficial for small businesses and startups in underrepresented markets, where financial resources are limited.

**Empowering Local Entrepreneurs**

Builder.ai has facilitated the development of many local entrepreneurs. Even small and medium enterprises all around the world that are working as the backbone of economies have at times been hindered due to technology disparities. Builder.ai has helped in alleviating this problem through the provision of a low-cost and user-friendly development platform.

**Supporting Public Sector Initiatives**

The mission of Builder.ai is not only limited to the private sector. In developing countries, governments and non-profit organizations require customized software for health care, education, and public services. However, limited budgets and technical constraints prevent them from implementing such solutions. Builder.ai opens a way out of these difficulties.

**Scaling for the Future**

The more digital adoption accelerates globally, the higher will be the demand for accessible AI-driven tools. Its scalable platform puts Builder.ai in a position to capitalize on that, especially in developing regions where the next wave of digital users will emerge. Its pay-as-you-go model allows businesses to scale their applications as they grow without incurring the usually prohibitive costs.

To supplement this, it emphasizes education and training to create a maximizer out of any user on Builder.ai. Aiding with any knowledge and tools means the company assists in using its platform by such underrepresented-market users, engendering that feel of innovation towards self-reliance.

**Transforming the Global Landscape**

The commitment of Builder.ai towards democratizing AI also means more than technology it depicts a more inclusive and equitable digital landscape. It’s enabling individuals and organizations to realize their potential, irrespective of where they are or how much they have, toward making AI-driven development accessible to the next billion users. Democratization holds far-reaching implications from boosting local economies to battling global challenges through innovative solutions.

Moving ahead with Builder.ai, its footprint on underrepresented markets and developing countries will surely symbolize the future transformation that is technology. Breaks down all barriers and opens opportunities for its customers, creating a better tomorrow by building much-needed software aiming to benefit all human beings.

**About Builder.ai**

Builder.ai is a technology company that makes AI-driven software development accessible and affordable. Its platform enables users to create applications without coding expertise, reducing costs and accelerating digital transformation. By supporting startups, small businesses, and public sector initiatives, Builder.ai fosters innovation in underrepresented markets and developing countries.

For more information, users can visit: https://www.builder.ai/

**Contact**

**Stephanie Lowenthal**  
**Builder.ai**  
**\[email protected\]**

How Builder.ai is Democratizing AI for the Next Billion Users

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/timeConfig endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating parameters such as tz, timeServerYN, and multiple timeDate fields. The vulnerability exists due to improper input validation in timeConfig.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

Title: ABB Cylon FLXeon 9.3.4 (timeConfig.js) Authenticated Root Remote Code Execution  
Advisory ID: ZSL-2025-5910  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 02.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/timeConfig endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating parameters such as tz, timeServerYN, and multiple timeDate fields. The vulnerability exists due to improper input validation in timeConfig.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[02.02.2025\] Coordinated public security advisory released.

**PoC**

abb\_flxeon\_rce4.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48841

**Changelog**

\[02.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#intel