ABB Cylon Aspect 3.08.01 (jsonProxy.php) Information Disclosure

The jsonProxy.php endpoint on the ABB BMS/BAS controller is vulnerable to unauthorized information disclosure. An unauthenticated attacker can retrieve sensitive system information, including system time, uptime, memory usage, and network load statistics. The jsonProxy.php endpoint proxies these requests to internal services without requiring authentication, allowing attackers to obtain detailed system status data, which could aid in further attacks by revealing operational characteristics and resource utilization.