Copeland Lp E3 Supervisory Control vulnerabilities
9 known vulnerabilities affecting copeland_lp/e3_supervisory_control.
Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH5MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2025-52549P2CRITICALCVSS 9.8fixed in 2.31F012025-09-02
CVE-2025-52549 [CRITICAL] CWE-522 CVE-2025-52549: E3 Site Supervisor Control (firmware version < 2.31F01) generates the root linux password on each bo
E3 Site Supervisor Control (firmware version < 2.31F01) generates the root linux password on each boot. An attacker can generate the root linux password for a vulnerable device based on known or easy to fetch parameters.
nvd
CVE-2025-6519P2CRITICALCVSS 9.8fixed in 2.31F012025-09-02
CVE-2025-6519 [CRITICAL] CWE-522 CVE-2025-6519: E3 Site Supervisor (firmware version < 2.31F01) has a default admin user "ONEDAY" with a daily gener
E3 Site Supervisor (firmware version < 2.31F01) has a default admin user "ONEDAY" with a daily generated password. An attacker can predictably generate the password for ONEDAY. The oneday user cannot be deleted or modified by any user.
nvd
CVE-2025-52544P3HIGHCVSS 7.5fixed in 2.31F012025-09-02
CVE-2025-52544 [HIGH] CWE-20 CVE-2025-52544: E3 Site Supervisor Control (firmware version < 2.31F01) has a floor plan feature that allows for an
E3 Site Supervisor Control (firmware version < 2.31F01) has a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. By uploading a specially crafted floor plan file, an attacker can access any file from the E3 file system.
nvd
CVE-2025-52543P3HIGHCVSS 7.5fixed in 2.31F012025-09-02
CVE-2025-52543 [HIGH] CWE-836 CVE-2025-52543: E3 Site Supervisor Control (firmware version < 2.31F01) application services (MGW and RCI) uses clie
E3 Site Supervisor Control (firmware version < 2.31F01) application services (MGW and RCI) uses client side hashing for authentication. An attacker can authenticate by obtaining only the password hash.
nvd
CVE-2025-52550P3HIGHCVSS 7.2fixed in 2.31F012025-09-02
CVE-2025-52550 [HIGH] CWE-347 CVE-2025-52550: E3 Site Supervisor Control (firmware version < 2.31F01) firmware upgrade packages are unsigned. An a
E3 Site Supervisor Control (firmware version < 2.31F01) firmware upgrade packages are unsigned. An attacker can forge malicious firmware upgrade packages. An attacker with admin access to the application services can install a malicious firmware upgrade.
nvd
CVE-2025-52545P3HIGHCVSS 7.5fixed in 2.31F012025-09-02
CVE-2025-52545 [HIGH] CWE-522 CVE-2025-52545: E3 Site Supervisor Control (firmware version < 2.31F01) RCI service contains an API call to read use
E3 Site Supervisor Control (firmware version < 2.31F01) RCI service contains an API call to read users info, which returns all usernames and password hashes for the application services.
nvd
CVE-2025-52547P3HIGHCVSS 7.5fixed in 2.31F012025-09-02
CVE-2025-52547 [HIGH] CWE-20 CVE-2025-52547: E3 Site Supervisor Control (firmware version < 2.31F01) MGW contains an API call that lacks input va
E3 Site Supervisor Control (firmware version < 2.31F01) MGW contains an API call that lacks input validation. An attacker can use this command to continuously crash the application services.
nvd
CVE-2025-52546P4MEDIUMCVSS 6.1fixed in 2.31F012025-09-02
CVE-2025-52546 [MEDIUM] CWE-434 CVE-2025-52546: E3 Site Supervisor Control (firmware version < 2.31F01) has a floor plan feature that allows for an
E3 Site Supervisor Control (firmware version < 2.31F01) has a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. By uploading a specially crafted floor plan file, an attacker can inject a stored XSS to the floorplan web page.
nvd
CVE-2025-52548P4MEDIUMCVSS 4.9fixed in 2.31F012025-09-02
CVE-2025-52548 [MEDIUM] CWE-1242 CVE-2025-52548: E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the applicatio
E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker with admin access to the application services can utilize this API to enable remote access to the underlying OS.
nvd