Vulnerability Description
E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker with admin access to the application services can utilize this API to enable remote access to the underlying OS.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Copeland | E3 Supervisory Controller Firmware | < 2.31f01 |
| Copeland | Site Supervisor Bx 860-1240 | - |
| Copeland | Site Supervisor Bxe 860-1245 | - |
| Copeland | Site Supervisor Cx 860-1260 | - |
| Copeland | Site Supervisor Cxe 860-1265 | - |
| Copeland | Site Supervisor Rx 860-1220 | - |
| Copeland | Site Supervisor Rxe 860-1225 | - |
| Copeland | Site Supervisor Sf 860-1200 | - |
Related Weaknesses (CWE)
References
- https://www.armis.com/research/frostbyte10/MitigationThird Party Advisory
FAQ
What is CVE-2025-52548?
CVE-2025-52548 is a vulnerability with a CVSS score of 4.9 (MEDIUM). E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker wi...
How severe is CVE-2025-52548?
CVE-2025-52548 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-52548?
Check the references section above for vendor advisories and patch information. Affected products include: Copeland E3 Supervisory Controller Firmware, Copeland Site Supervisor Bx 860-1240, Copeland Site Supervisor Bxe 860-1245, Copeland Site Supervisor Cx 860-1260, Copeland Site Supervisor Cxe 860-1265.