Ddos 
Researchers at Armis Labs have uncovered a set of ten severe vulnerabilities in Copeland E2 and E3 controllers, devices that are widely used to manage HVAC, refrigeration, lighting, and building systems across industries. Collectively dubbed “Frostbyte10”, these flaws pose a major risk to critical infrastructure and supply chains.
According to the report, “Armis Labs identified ten vulnerabilities affecting Copeland E2 and E3 controllers, devices that are integral to managing critical building and refrigeration systems, including compressor groups, condensers and walk-in units, HVAC and lighting systems.”
The vulnerabilities range from predictable admin password generation to remote code execution (RCE) and unauthenticated file operations. Exploiting them could allow attackers to manipulate system parameters, disable essential functions, or even gain root-level access.
Armis stresses the consequences go beyond digital disruption:
- “Food can spoil or become unsafe if refrigeration control is lost.”
- “Goods can be contaminated if refrigeration is disabled or tampered with.”
- “Lighting systems could fail to activate in an emergency.”
- “Cold chain logistics and cooling systems could be rendered inoperable.”
With global retail infrastructure increasingly targeted by cybercriminals, the Copeland controller flaws represent a high-value target for ransomware operators and other adversaries.
Among the most serious issues highlighted are:
- CVE-2025-6519 (CVSS 9.3): Predictable generation of the default “ONEDAY” admin password for E3 controllers, which cannot be deleted or modified.
- CVE-2025-52548 (CVSS 9.2): Predictable Linux root password generation on each boot, enabling attackers to escalate privileges.
- CVE-2025-52551 (CVSS 9.3): A proprietary protocol in E2 controllers allowing unauthenticated file operations across the system.
Other vulnerabilities include stored XSS, denial-of-service in application services, and unsigned firmware upgrade packages, all of which expand the attack surface.
Armis confirms that fixes are now available: “Today, updated Copeland firmware is available and we recommend patching affected devices to ensure the vulnerabilities are addressed promptly.”
- Copeland E2 controllers have reached end-of-life (October 2024); migration to the E3 platform is advised.
- Copeland E3 controllers should be updated to firmware version 2.31F01 or later.
Best practices include isolating OT systems from IT networks, monitoring remote access, and conducting regular vulnerability scans.
The Frostbyte10 vulnerabilities serve as a stark reminder that cyber risks can directly impact physical infrastructure, food safety, and global supply chains.
As Armis Labs warns, “Due to the severity of these vulnerabilities and the impact, we urge any organization using these controllers to assess their current exposure and to deploy mitigation actions immediately.”
Related Posts:
- Microsoft Ports Windows and Linux to MSR’s E2 Processor
- Report: 496 million IoT devices are vulnerable to DNS Rebinding Attack
- Brain Food botnet spreads malicious PHP scripts and has found 5,000 websites
- From Bypass to Root: Mandiant Red Team Exploits CVE-2025-2171 and CVE-2025-2172 in Aviatrix Cloud Controller
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
