Critical vulnerabilities in building automation systems affect global infrastructure

First reported

30.10.2025 23:37

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Over 800 vulnerabilities, many zero-day, were found in building automation systems used in 30 countries and 220 cities. These systems, originally developed by American Auto-Matrix in 2008, were acquired by Cylon Controls and later by ABB. The vulnerabilities allow remote takeover of critical infrastructure, including hospitals, airports, and government buildings. The vulnerabilities stem from an 18-year-old codebase that has not undergone security reviews. The affected systems were embedded in facilities operated by major companies, including technology campuses, correctional institutions, and entertainment venues. The vendor, ABB, has made efforts to fix some issues but has not been transparent about the patches and has inconsistently scored the severity of the vulnerabilities.

Timeline

30.10.2025 23:37 1 articles · 11d ago

Over 800 vulnerabilities discovered in building automation systems
Security researcher Gjoko Krstic discovered over 800 vulnerabilities, many zero-day, in building automation systems used in 30 countries and 220 cities. The vulnerabilities stem from an 18-year-old codebase that has not undergone security reviews. The affected systems were embedded in facilities operated by major companies, including technology campuses, correctional institutions, and entertainment venues. The vendor, ABB, has made efforts to fix some issues but has not been transparent about the patches and has inconsistently scored the severity of the vulnerabilities.
Show sources

An 18-Year-Old Codebase Left Smart Buildings Wide Open — www.darkreading.com — 30.10.2025 23:37
Open in new tab

Information Snippets

Over 800 vulnerabilities, including many zero-day, were found in building automation systems.
First reported: 30.10.2025 23:37

1 source, 1 article
Show sources
- An 18-Year-Old Codebase Left Smart Buildings Wide Open — www.darkreading.com — 30.10.2025 23:37
The vulnerabilities affect systems in 30 countries and 220 cities.
First reported: 30.10.2025 23:37

1 source, 1 article
Show sources
- An 18-Year-Old Codebase Left Smart Buildings Wide Open — www.darkreading.com — 30.10.2025 23:37
The affected systems were originally developed by American Auto-Matrix in 2008.
First reported: 30.10.2025 23:37

1 source, 1 article
Show sources
- An 18-Year-Old Codebase Left Smart Buildings Wide Open — www.darkreading.com — 30.10.2025 23:37
The vulnerabilities include backdoors, unencrypted firmware, default credentials, buffer overflows, and unauthenticated remote root exploits.
First reported: 30.10.2025 23:37

1 source, 1 article
Show sources
- An 18-Year-Old Codebase Left Smart Buildings Wide Open — www.darkreading.com — 30.10.2025 23:37
The vendor, ABB, has fixed some issues but has not been transparent about the patches.
First reported: 30.10.2025 23:37

1 source, 1 article
Show sources
- An 18-Year-Old Codebase Left Smart Buildings Wide Open — www.darkreading.com — 30.10.2025 23:37
The vulnerabilities could allow malicious actors to cause real-world physical harm and financial damage.
First reported: 30.10.2025 23:37

1 source, 1 article
Show sources
- An 18-Year-Old Codebase Left Smart Buildings Wide Open — www.darkreading.com — 30.10.2025 23:37
The vendor has reduced the number of exposed systems from about 1,000 to 200.
First reported: 30.10.2025 23:37

1 source, 1 article
Show sources
- An 18-Year-Old Codebase Left Smart Buildings Wide Open — www.darkreading.com — 30.10.2025 23:37

Summary

Timeline

Over 800 vulnerabilities discovered in building automation systems

Information Snippets