Armis Labs reports multiple vulnerabilities in Copeland refrigeration and HVAC infrastructure

Armis Labs is reporting ten critical security vulnerabilities collectively named "Frostbyte10" affecting Copeland E2 and E3 controllers, devices that manage building HVAC and refrigeration systems. 

These vulnerabilities pose threats to food safety, supply chain operations, and critical infrastructure by allowing unauthorized actors to remotely manipulate refrigeration parameters, disable systems, execute remote code, or gain unauthorized access to sensitive operational data.

Copeland is a major provider of climate and industrial technology operating in over 40 countries, counts grocery giants such as Kroger, Albertsons, and Whole Foods among its clients. 

Vulnerabilities summary

• CVE-2025-6519 (CVSS score 9.3) - Consistent predictable generation of password for default admin user "ONEDAY". E3 Site Supervisor Control has a default admin user "ONEDAY" with a daily generated password that can be predictably generated by attackers. The ONEDAY user cannot be deleted or modified.
• CVE-2025-52551 (CVSS score 9.3) - Proprietary protocol allows unauthenticated file operations. E2 controllers use a proprietary protocol that permits unauthenticated file operations on any file in the filesystem.
• CVE-2025-52549 (CVSS score 9.2) - Predictable root Linux password generation. E3 controllers generate root Linux passwords on each boot using predictable parameters that attackers can determine.
• CVE-2025-52544 (CVSS score 8.8) - Arbitrary file read from filesystem. Floor plan feature allows unauthenticated attackers to upload specially crafted files and access any file from the E3 filesystem.
• CVE-2025-52547 (CVSS score 8.7) - Denial of Service to application services. MGW service contains an API call lacking input validation that can be exploited to continuously crash application services.
• CVE-2025-52550 (CVSS  score 8.6) - Unsigned firmware upgrade packages. Firmware upgrade packages are unsigned, allowing attackers with admin access to install malicious firmware.
• CVE-2025-52545 (CVSS score 7.7) - Privilege escalation in application services (High, CVSS 7.7): RCI service contains an API call that returns all usernames and password hashes for application services.
• CVE-2025-52548 (CVSS score 6.9) - Enabling SSH and Shellinabox on vulnerable machine. Hidden API call in application services can enable SSH and Shellinabox, which exist but are disabled by default.
• CVE-2025-52543 (CVSS score 5.3) - Login to application services using only password hash. E3 application services use client-side hashing for authentication, allowing attackers to authenticate by obtaining only the password hash.
• CVE-2025-52546 (CVSS score 5.1) - Stored XSS by uploading crafted floor plan file (Medium, CVSS 5.1): Specially crafted floor plan files can inject stored cross-site scripting into the floorplan web page.

Armis Labs discovered these vulnerabilities during security research and worked collaboratively with Copeland to investigate the findings, understand the underlying issues, and develop solutions. 

Organizations using Copeland E2 and E3 controllers should immediately assess their exposure to these vulnerabilities and implement mitigation measures. Copeland E2 controllers have been declared end-of-life since October 2024, and affected customers are strongly encouraged to migrate to the E3 platform. For E3 controllers, patches are available beginning with Copeland firmware version 2.31F01. Organizations should patch affected devices promptly to ensure vulnerabilities are addressed.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also released advisories urging any organization using vulnerable controllers to patch immediately.