PRESS RELEASE

With a staggering 5263 attacks, 2024 saw the highest volume of ransomware attacks observed since 2021, according to a new report from cybersecurity consulting firm, NCC Group.

In a turbulent year for the cyber landscape, with high-impact attacks on sophisticated nation-state espionage campaigns, attack volume continued to rise. 

LockBit remains top threat actor despite takedown

The infamous threat group LockBit was the top actor of 2024, accounting for 10% (526) of all attacks. However, it’s overall activity declined compared to 2023, with LockBit’s takedown earlier in 2024.

RansomHub followed closely behind. Accountable for 501 attacks, it became the most dominant threat actor in the second half of the year.

Uptick in most regions

North America experienced over half of all attacks in 2024 (55%). Overall, most regions witnessed a rise in attacks, including Asia, South America, and Oceania. Rising global geopolitical tensions and high payouts for ransomware attacks are likely to have attributed to increase across regions. 

Industrials remains a top target

With its crucial role in the global economy, Industrials experienced 27% (1424) of all ransomware attacks in 2024, increasing 15% from 2023. Attacks in the sector have caused mass disruption, affecting critical infrastructure and services and causing material downtime.

Law enforcement whack-a-mole 

There are some encouraging signs that the international community has stepped up efforts to recognise and address the threats posed by cyber adversaries. Notable examples include coordinated law enforcement actions against cybercriminal networks such as Operations Cronos, Magnus, Destabilise, and Serengeti.

Despite short term law enforcement crack downs, threat actors continued to emerge quickly after intervention - LockBit was operating again only five days after its takedown. And with warnings from the group that it will be back in full force by February 2025, it’s evident that governments and law enforcement need to do more to prevent the reemergence of these groups.

Matt Hull, global head of Threat Intelligence at NCC Group said: “The cyber security landscape in 2024 presented unprecedented challenges. The scale and complexity of cyber incidents tested the resilience of businesses and institutions globally. Looking ahead, these challenges are set to escalate as cyber criminals and nation-state actors increasingly exploit the growing integration of technology into all aspects of life.

“Key concerns such as third-party compromises, cloud vulnerabilities, and insecure APIs remain critical. We also can’t ignore the rapid advances in artificial intelligence (AI) that are giving rise to new cybercriminal tactics. And the geopolitical dimension of cyber security adds to the ever-changing threat landscape, with nation-states posing significant risks to critical infrastructure.

“In the face of these challenges, businesses, governments, and individuals must stay vigilant and proactive. By understanding the risks and acting today, we can collectively work towards a more secure digital future.”

2024 Breaks Records With Highest Ever Ransomware Attacks

**Databarracks Launches Air Gap RecoverDatabarracks Launches Air Gap Recover**

PRESS RELEASE

Databarracks has announced the launch of Air Gap Recover, a new service that provides enhanced protection against cyber threats, including ransomware attacks.

Designed specifically for cloud-native environments, Air Gap Recover provides isolated, air-gapped data protection and automated failover to guarantee rapid recovery from any cyber attack.

“Traditional data protection solutions don’t work for cloud-native systems and businesses,” said James Watts, Managing Director of Databarracks.

“Native cloud tools are designed more for simplicity than resilience and lack the functionality you need to fully protect your data. Enterprise backup solutions, on the other hand, struggle to scale and can’t handle the volume of data stored in modern cloud systems. Whichever you choose, your recovery is compromised – it either takes too long to restore operations or, in a worst-case scenario, you’re left with no clean copy of data to recover from at all.

“Air Gap Recover addresses these shortcomings. It’s equipped to protect the petabytes of data and globally distributed architectures within cloud-native environments – allowing for complex cloud-scale recovery.

“In 2025, cyber remains the number one threat to business continuity. We know it is no longer a question of “if” but “when”. But no matter the scale or severity of the cyber event – and cloud-native environments are not immune – Air Gap Recover ensures your critical data is protected. If the worst happens – your cloud account is breached, and your data is encrypted or deleted – you failover instantly to a secure and separate account. Your business stays operational while others would scramble to recover.”

Key features include:

*   Advanced air-gapped security: Data is stored in immutable, isolated cloud accounts to protect against ransomware and other cyber threats.
    
*   Automated failover: Provides immediate cross-region failover to a segregated cloud account, ensuring instant recovery with near-zero downtime.
    

Stepping in where traditional solutions fall short, Air Gap Recover sets a new standard for cloud-native data protection to further strengthen Databarracks’ IT resilience offering.

About Databarracks

Databarracks is the technology and business resilience specialist.

In 2003, we launched one of the world’s first managed Backup services to bring indestructible resilience to mission-critical data.

Today, we deliver award-winning IT resilience and continuity services. We help organisations get the most out of the cloud and protect their data, wherever it lives.

And we back this up with unbeatable support. There’s no such thing as ‘above and beyond’ for our engineers because they only work to one standard: to keep your systems running perfectly.

Enterprise-class continuity, security, and resilience. Accessible for all. 

You May Also Like

Databarracks Launches Air Gap Recover

A year after Google and Yahoo started requiring DMARC, the adoption rate of the email authentication specification has doubled; and yet, 87% of domains remain unprotected.

Source: Tapati Rinchumrus via Shutterstock

A year after Google and Yahoo forced bulk email senders to implement the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard, the rate of the adoption of DMARC among domains has doubled, although many of the same email threats continue to successfully deliver payloads or redirect unwary users to phishing sites.

The increase in adoption started in February 2024, when Google and Yahoo started requiring bulk email senders — defined as any company sending more than 5,000 email messages daily — to use DMARC. The email authentication standard uses two authentication specifications — Sender Policy Framework (SPF) and DomainsKeys Identified Mail (DKIM) — to confirm that an email comes from an authorized email server and on behalf of the purported sender. The technology makes it much more difficult to spoof email from a legitimate company or brand.

In the past year, adoption has increased by about 2.3 million domains, but that still leaves about 87% of domains without a DMARC record, according to data published by cyber-resilience firm Red Sift on Feb 5. Adoption is also uneven, with organizations in Austria, Japan, and Indonesia seeing some of the highest growth and publicly traded companies making the most significant gains.

Related:Microsoft: Thousands of Public ASP.NET Keys Allow Web Server RCE

While doubling the adoption rate of DMARC is a significant success, the private sector needs to do better, says Sean Costigan, managing director of resilience strategy at Red Sift.

"DMARC is considered an indicator of cyber maturity in many sectors, and we are still in the early days — healthcare, for example, is struggling to surpass 40% to 50% adoption," he says, adding that "widely, properly managed DMARC adoption will reduce spoofing, phishing and other forms of cybercrime."

Source: Red Sift

Google, for example, has seen a significant reduction in questionable email. In 2024, Gmail users saw 265 billion fewer unauthenticated emails, or about 65% less. During the 2024 holidays, a season that typically sees a massive spike in phishing attacks, users encountered 35% fewer scams, says Neil Kumaran, group product manager at Google.

"We think these improvements represent a huge boost in the health of the email ecosystem overall," he says. "We are actually seeing the industry embrace these requirements, seeing how important they are to increase the healthy ecosystem for everybody."

**DMARC Adoption Likely to Accelerate**

Large email senders are not the only groups quickening the pace of DMARC adoption. The latest Payment Card Industry Data Security Standard (PCI DSS) version 4.0 requires DMARC for all organizations that handle credit card information, while the European Union's Digital Operational Resilience Act (DORA) makes DMARC a necessity for its ability to report on and block email impersonation, Red Sift's Costigan says.

Related:Abandoned AWS Cloud Storage: A Major Cyberattack Vector

"Mandatory regulations and legislation often serve as the tipping point for most organizations," he says. "Failures to do reasonable, proactive cybersecurity — of which email security and DMARC is obviously a part — are likely to meet with costly regulatory actions and the prospect of class action lawsuits."

Overall, the authentication specification is working as intended, which explains its arguably rapid adoption, says Roger Grimes, a data-driven-defense evangelist at security awareness and training firm KnowBe4. Other cybersecurity standards, such as DNSSEC and IPSEC, have been around longer, but DMARC adoption has outpaced them, he maintains.

"DMARC stands alone as the singular success as the most widely implemented cybersecurity standard introduced in the last decade," Grimes says.

**Subdomain Attacks Exploit Gaps**

Yet that does not mean that threats have diminished. Attackers have adapted, Grimes says. Typically, attackers will just use lookalike domains — or use creative punctuation to create confusion — and fool the end user while still sending messages from an authenticated domain.

Related:Name That Toon: Incentives

"Since the creation and wide-scale adoption of DMARC, the percentage and number of phishing emails claiming to be from a particular legitimate domain are significantly less, perhaps just a few percent of what they used to be," Grimes says. "Unfortunately, phishers just created new illegitimate domains, often with lookalike names, that they then applied DMARC on so that the new, illegitimate domains passed DMARC inspection."

One technique used to dodge DMARC is "subdomail," where attackers seek out SPF records that include unregistered domains, and then take control of the orphaned domains as a way to conduct massive spamming campaigns. In one case, an SPF record for msnmarthastewartsweeps.com "included" two domains, allowing any authorized mail servers listed in those domain records to send authenticated email. In the Sender Policy Framework, the "include" keyword allows on domain to specify that those domains' lists of authenticated email servers should be trusted. For msnmarthastewartsweeps.com, that resulted in nearly 18,000 domains being authorized to send email on behalf of the domain.

Because the email messages make it past DMARC checks, they are more likely to successfully impersonate other companies, says Red Sift's Costigan.

"SubdoMailing exploits gaps in DMARC safeguards, allowing attackers to send emails from subdomains that pass both SPF and DMARC checks," he says. "These messages appear legitimate and are incredibly deceptive."

**BIMI on Deck for Email Security**

Still, companies gain much more visibility into their email by using DMARC, as the standard includes a reporting function that allows companies — or service providers on their behalf — to track email failures. Thus, companies should rapidly move from "none" to "quarantine" to "reject" as their policy, experts say.

In addition, companies should also look to take the next step, moving to Brand Indicators for Message Identification or BIMI, which allows companies to present a logo to email recipients. BIMI requires strict DMARC, however, and only about a third of domains currently comply, according to Red Sift's data.

While none of these technologies solve the problem of malicious emails, they all give companies and their email service providers more reliable signals to use to filter out unwanted messages and potential attacks, says Google's Kumaran. DMARC adoption does not boil down to "authenticated mail is good, and unauthenticated email is bad," he says.

"The idea is that authentication gives you confidence of the source of the message, and then you can start to do a better job of classification and actually providing protections to users," Kumaran says. "So I think it's a very desirable behavior if 100% of attacks are actually authenticated, because it makes the job of protecting people — and gives those the folks working in defending — stronger signals on which to operate."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Google's DMARC Push Pays Off, but Email Security Challenges Remain

A cybercriminal calling themselves emirking is offering 20 million OpenAI accounts for sale on a Dark Web forum

A cybercriminal acting under the monicker “emirking” offered 20 million OpenAI user login credentials this week, sharing what appeared to be samples of the stolen data itself.

Post by emirking

A translation of the Russian statement by the poster says:

> “When I realized that OpenAI might have to verify accounts in bulk, I understood that my password wouldn’t stay hidden. I have more than 20 million access codes to OpenAI accounts. If you want, you can contact me—this is a treasure.”

The statement suggests that the cybercriminal found access codes which could be used to bypass the platform’s authentication systems. It seems unlikely that such a large amount of credentials could be harvested in phishing operations against users, so if the claim is true, emirking may have found a way to compromise the _auth0.openai.com_ subdomain by exploiting a vulnerability or by obtaining administrator credentials.

While emirking looks like a relatively new user of the forums (they joined in January 2025), that doesn’t necessarily mean anything. They could have posted under another handle previously and switched because of security reasons.

Millions of users around the world rely on OpenAI platforms like ChatGPT and other GPT integrations.

With the allegedly stolen credentials, cybercriminals could possibly access sensitive information provided during conversations and queries with OpenAI. This stolen data could prove useful in targeted phishing campaigns and financial fraud. But the stolen credentials could also be used to abuse the OpenAI API and have the victims pay for their usage of OpenAI’s “Plus” or “Pro” features. However, other users of the same dark web forum claimed that the posted credentials did not provide access to the ChatGPT conversations of the leaked accounts.

True or not, this comes at a bad time for OpenAI after Microsoft recently investigated accusations that DeepSeek used OpenAI’s ChatGPT model to train DeepSeek’s AI chatbot.

**What can users do?**

If you fear that this breach might include your credentials you should:

*   Change your password.
*   Enable multi-factor authentication (MFA).
*   Monitor your account for any unusual activity or unauthorized usage.
*   Beware of phishing attempts using the information that might be stolen as part of this breach.

BreachForums, the Dark Web forum where the accounts were offered for sale was offline at the time of writing, so we were unable to verify any claims ourselves. We will do so when the opportunity arises and keep you posted, so stay tuned.

 20 Million OpenAI accounts offered for sale 

UpGuard discovers exposed Ollama APIs revealing DeepSeek model adoption globally. See where these AI models are running and the security risks involved.

Cybersecurity researchers at third-party risk management firm UpGuard have identified a vulnerability surrounding exposed Ollama APIs, which provide access to running AI models. These exposed APIs not only pose security risks for model owners but also offer a unique opportunity to gauge the adoption rate and geographic distribution of specific AI models, such as **DeepSeek**.

**Ollama** is an AI model framework that simplifies interaction with models by providing a user-friendly interface for selecting and downloading models. However, as per UpGuard’s research, shared exclusively with Hackread.com ahead of its release, the API can be exposed to the public internet; its functions to push, pull, and delete models can put data at risk and unauthenticated users can also bombard models with requests, potentially causing costs for cloud computing resource owners. Existing vulnerabilities within Ollama could also be exploited. 

According to UpGuard’s **research**, there is already evidence of the vulnerability being exploited, with targeted IPs being tampered with.

  
A screenshot provided by UpGuard to Hackread.com shows an Ollama instance where the models appear to have been deleted.

Researchers expressed concern that Ollama APIs are likely used by hobbyists on home or small business internet connections or university networks and these systems can be easily compromised and incorporated into botnets for future attacks.

UpGuard also analyzed the distribution of DeepSeek models across different parameter sizes running on exposed Ollama APIs. The 14b and 7b options (representing models with 14 billion and 7 billion parameters) were the most commonly observed among the exposed DeepSeek models, suggesting that many users are opting for these mid-range models.

Approximately seven thousand IP addresses currently expose Ollama APIs, indicating an over 70% rise in three months, since in its survey **Laava** found four thousand IP addresses in November 2024. Out of these exposed IPs, 700 are running some version of DeepSeek. Specifically, 334 are utilizing models from the deepseek-v2 family, while 434 are running the newer deepseek-r1 model. 

Geographically, the highest concentration of IPs running DeepSeek models is located in China (171 IP addresses, representing 24.4%), followed by the U.S. (140 IP addresses, or 20%), and Germany (90 IP addresses, or 12.9%). 

Furthermore, the distribution of DeepSeek models within the US by Internet Service Provider (ISP) analysis reveals a diverse range of providers, from large entities like Google LLC and AT&T Enterprises LLC to smaller providers and universities. Also, researchers found the highest concentration of DeepSeek instances in China, the US, and Germany, with other countries contributing smaller percentages.

> _“There are really two things that surprised us in this research: how fast exposed Ollama APIs are growing, and how quickly DeepSeek has spread. Either of those could have big consequences in the future.”_
> 
> Greg Pollock, Director of Research and Insights – Upguard

It is worth noting that DeepSeek has been restricted by entities like the **US Navy**, the state of **Texas**, **NASA**, and Italy over concerns of possible data leakage to the Chinese government. While these concerns may not apply to open-source models, most users are unlikely to scrutinize the code, UpGuard researchers noted along with identifying potential risks within the models themselves.

Therefore, to prevent **AI data leakage**, it is essential to audit one’s attack surface for exposed Ollama APIs and remain aware of which models or AI products can be crucial in third-party risk management.

7,000 Exposed Ollama APIs Leave DeepSeek AI Models Wide Open to Attack

As the cost of data breaches continues to climb, the role of user and entity behavioral analytics (UEBA) has never been more important.

Jackie Wyatt, Adjunct Professor of Cyber Studies, University of Tulsa

February 7, 2025

4 Min Read

Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

Last year, the cost of a data breach rose 10%, from $4.4 million to $4.8 million, as stated by IBM's annual "Cost of a Data Breach Report." According to cybersecurity firm Vectra AI, more than 70% of security operations center (SOC) leaders fear that a real attack will be hidden under an overwhelming flood of false-positive alerts and other security noise. The resulting burnout may be contributing to the labor shortage plaguing the industry. 

As the cost of data breaches continues to climb along with the deluge of meaningless alerts on an increasingly stressed workforce, the role of behavioral analytics in cybersecurity, or user and entity behavioral analytics (UEBA), has never been more important. That role is even more critical for schools, government agencies, and hospitals and other healthcare facilities. These entities play crucial roles in our day-to-day lives but operate with limited resources. They tend to have smaller cybersecurity teams and less money, amplifying the potential perils of a breach. In fact, the smaller the team, the greater the need for UEBA, which has a number of benefits.

**Weeds Out the Noise **

In the absence of behavioral analytics, every login and machine connection can result in an alert for the SOC. Without the ability to differentiate true threats from false positives, every threat detected is treated with high priority, which may cause the true positives to either get missed or not be addressed in a timely fashion. In places like schools, government offices, and medical facilities the consequences of missing an actual threat are monumental. These establishments thrive on their reputation while accumulating critical information that could mean life or death for a person.   

The danger of alert fatigue is real, causing SOC analysts to eventually ignore certain signals or attempt to address them all with no sense of which ones indicate actual risk. UEBA tracks access patterns across people, machines, and systems; eventually detecting and alerting the SOC only when there's a true risk. Not only does this approach cut out alert noise, it also limits the information bombarding the security team, reduces false positives, and virtually eliminates alert fatigue so analysts can focus on important alerts. Using behavioral analytics to detect the patterns that are normal makes it much easier to spot the ones that aren't. 

**Allows for Prioritization**

Using UEBA is already a no-brainer for many SOCs, but it has not been implemented for most hospitals, government institutions, and schools. Analyzing behavior patterns could have an even bigger payoff for those types of entities, in part because their teams are small. With a fully functioning, automated UEBA system, analysts know alerts are far more likely to be credible and worth their time to investigate. 

When discussing pattern detection and automation, AI naturally springs to mind. This makes perfect sense because UEBA is an excellent use case for AI. The kind of public sector/public good entities that have the most limited resources are best suited to leverage the power of AI combined with UEBA. It could virtually eliminate the disadvantage of fewer resources because a well-trained AI would only surface credible threats for human vetting. AI is not susceptible to alert fatigue, burnout, or the lure of a higher salary elsewhere. An automated system may be able to handle threat response, however its greatest potential lies in prioritizing potential threats for SOC analysts to analyze them more efficiently. This saves engineers and analysts countless hours, since they do not have to craft rules and queries to achieve the desired outcome.

**Reduces Risk **

It may be difficult for some executives to wrap their heads around placing an automated system at the heart of their security operations. Some worry about all the company data being in one place. Others fear AI might miss something, but it seems that the risk of a small and overwhelmed team subject to burnout is greater. While it's possible for a problem to surface with AI, it's more likely that a problem will arise with stressed out people.  

Some companies have already seen the benefit of involving AI in their security operations. About 70% of those that responded to a Vectra AI survey said AI has already reduced burnout and increased threat detection and response abilities. Imagine moving the needle that much for the places that instruct our kids, provide healthcare, and keep the lights on. 

**About the Author**

Adjunct Professor of Cyber Studies, University of Tulsa

Jackie Wyatt is an adjunct professor of cyber studies at the University of Tulsa and a cybersecurity operations analyst at QuikTrip. Jackie received a master’s degree in cybersecurity from Maryville University. She holds the Certified Enterprise Defender (GCED) certification and Coin from SANS, marking her as an expert in network defense and incident response. Her combination of advanced education and hands-on experience makes her a valuable figure in the cybersecurity field.

Behavioral Analytics in Cybersecurity: Who Benefits Most?

A new audit of DeepSeek's mobile app for the Apple iOS operating system has found glaring security issues, the foremost being that it sends sensitive data over the internet sans any encryption, exposing it to interception and manipulation attacks.
The assessment comes from NowSecure, which also found that the app fails to adhere to best security practices and that it collects extensive user and

DeepSeek App Transmits Sensitive User and Device Data Without Encryption

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software has come under active exploitation in the wild.
The vulnerability in question is CVE-2025-0994 (CVSS v4 score: 8.6), a deserialization of untrusted data bug that could permit an attacker to conduct remote code execution.
"This could

CISA Warns of Active Exploitation in Trimble Cityworks Vulnerability Leading to IIS RCE

The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated WebSocket implementation that allows an attacker to execute the tcpdump command. This command captures network traffic and filters it on serial ports 4855 and 4851, which are relevant to the device's services. The vulnerability can be exploited in a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial of service (DoS) conditions, and potential data exfiltration. The lack of authentication on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump processes, amplifying the attack's impact.

Title: ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC  
Advisory ID: ZSL-2025-5913  
Type: Local/Remote  
Impact: DoS  
Risk: (5/5)  
Release Date: 07.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated WebSocket implementation that allows an attacker to execute the tcpdump command. This command captures network traffic and filters it on serial ports 4855 and 4851, which are relevant to the device's services. The vulnerability can be exploited in a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial of service (DoS) conditions, and potential data exfiltration. The lack of authentication on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump processes, amplifying the attack's impact.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[07.02.2025\] Coordinated public security advisory released.

**PoC**

ws.sh

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48849

**Changelog**

\[07.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.

Title: ABB Cylon FLXeon 9.3.4 (runtimeSetup.sh) Hidden Backdoor Account  
Advisory ID: ZSL-2025-5914  
Type: Local/Remote  
Impact: Security Bypass, System Access, DoS, Privilege Escalation  
Risk: (5/5)  
Release Date: 07.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[07.02.2025\] Coordinated public security advisory released.

**PoC**

abb\_flxeon\_bd1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch

**Changelog**

\[07.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Latest News