E3 Supervisory Controller Firmware
Approved changes feed: RSS · Atom
cpe:2.3:o:copeland:e3_supervisory_controller_firmware:*:*:*:*:*:*:*:*
part: o version: * update: *
| Vendor | Copeland (0337f2ca-87d7-5998-8541-ed674a0ef7b2) |
|---|---|
| Product | E3 Supervisory Controller Firmware (60857ac3-4a77-51ad-83dc-a36228f162ea) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-6519 |
vulnerable | 2026-06-03 15:12:27.773083 |
Consistent predictable generation of the password for the default admin user "ONEDAY" to the application services
E3 Site Supervisor (firmware version < 2.31F01) has a default admin user "ONEDAY" with a daily generated password. An attacker can predictably generate the password for ONEDAY. The oneday user cannot be deleted or modified by any user.
Published: 2025-09-02T11:23:59.838Z
Updated: 2025-09-02T15:25:44.338Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-52550 |
vulnerable | 2026-06-03 15:01:59.480530 |
Firmware upgrade packages are unsigned
E3 Site Supervisor Control (firmware version < 2.31F01) firmware upgrade packages are unsigned. An attacker can forge malicious firmware upgrade packages. An attacker with admin access to the application services can install a malicious firmware upgrade.
Published: 2025-09-02T11:26:35.207Z
Updated: 2025-09-02T13:40:43.018Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-52549 |
vulnerable | 2026-06-03 15:01:59.479753 |
Predictable root linux password generation
E3 Site Supervisor Control (firmware version < 2.31F01) generates the root linux password on each boot. An attacker can generate the root linux password for a vulnerable device based on known or easy to fetch parameters.
Published: 2025-09-02T11:26:23.423Z
Updated: 2025-09-02T13:43:26.506Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-52548 |
vulnerable | 2026-06-03 15:01:59.478620 |
Enabling SSH and Shellinabox on the vulnerable machine
E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker with admin access to the application services can utilize this API to enable remote access to the underlying OS.
Published: 2025-09-02T11:26:08.636Z
Updated: 2025-09-02T13:28:08.207Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-52547 |
vulnerable | 2026-06-03 15:01:59.477698 |
DoS to the application services
E3 Site Supervisor Control (firmware version < 2.31F01) MGW contains an API call that lacks input validation. An attacker can use this command to continuously crash the application services.
Published: 2025-09-02T11:25:54.718Z
Updated: 2025-09-02T13:29:17.409Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-52546 |
vulnerable | 2026-06-03 15:01:59.477022 |
Stored XSS by uploading a specially crafted floor plan file
E3 Site Supervisor Control (firmware version < 2.31F01) has a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. By uploading a specially crafted floor plan file, an attacker can inject a stored XSS to the floorplan web page.
Published: 2025-09-02T11:25:39.864Z
Updated: 2025-09-02T13:30:49.398Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-52545 |
vulnerable | 2026-06-03 15:01:59.476117 |
Privilege escalation in the application services
E3 Site Supervisor Control (firmware version < 2.31F01) RCI service contains an API call to read users info, which returns all usernames and password hashes for the application services.
Published: 2025-09-02T11:25:22.792Z
Updated: 2025-09-02T13:33:29.926Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-52544 |
vulnerable | 2026-06-03 15:01:59.475223 |
Arbitrary read file from the filesystem
E3 Site Supervisor Control (firmware version < 2.31F01) has a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. By uploading a specially crafted floor plan file, an attacker can access any file from the E3 file system.
Published: 2025-09-02T11:25:01.106Z
Updated: 2025-09-02T13:36:13.634Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-52543 |
vulnerable | 2026-06-03 15:01:59.469816 |
Login to the application services using only the password hash
E3 Site Supervisor Control (firmware version < 2.31F01) application services (MGW and RCI) uses client side hashing for authentication. An attacker can authenticate by obtaining only the password hash.
Published: 2025-09-02T11:24:32.443Z
Updated: 2025-09-02T13:43:02.830Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.