Despite ABB's advice to customers against exposing these systems to the internet, Krstic estimates that around 1,000 facilities globally may still be vulnerable due to such exposure.

The identified vulnerabilities include critical and high severity flaws such as unauthorized file access, cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), insecure direct object references (IDOR), security bypasses, denial of service (DoS), SQL injection, and various password issues.

Gjoko Krstic, a security researcher, has uncovered over 1,000 vulnerabilities in ABB's building energy management products, particularly the Cylon FLXeon and Aspect solutions.

ABB's acquisition of Cylon Controls in 2020 revealed that the codebase of the affected products is 19 years old, with significant security improvements implemented only four years after the acquisition.

Among these vulnerabilities, some can be exploited by remote, unauthenticated attackers, potentially granting them complete control over the affected systems.

Krstic meticulously analyzed hundreds of PHP and Java files, resulting in over 70 individual advisories, with expectations that this number could reach 150.

Frustrated with ABB's handling of the vulnerability disclosure process, Krstic reported some of his findings through the Cybersecurity and Infrastructure Security Agency (CISA) and CERT/CC's Vulnerability Information and Coordination Environment (VINCE).

After reporting the issues to ABB in the spring of 2024, the company has since released patches and advisories, including one from CISA.

The vulnerabilities pose a serious risk, as they could allow attackers to manipulate critical systems such as lighting, HVAC, water pressure, doors, sensors, and industrial control systems in essential facilities, including hospitals and airports.

Krstic criticized ABB for assigning only about two dozen Common Vulnerabilities and Exposures (CVE) identifiers to the vulnerabilities, arguing that over 100 should have been designated for individual issues.