CVE-2025-52548
Last modified
CVE-2025-52548 is a medium-severity vulnerability rated 6.9/10 on the CVSS scale. E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker with admin access to the application services can utilize this API to enable remote access to the underlying OS.. EPSS estimates a 0.33% chance of exploitation in the next 30 days.
Description
E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker with admin access to the application services can utilize this API to enable remote access to the underlying OS.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Copeland | E3 Supervisory Controller Firmware | < 2.31f01 |
References
- https://www.armis.com/research/frostbyte10/Mitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-52548?
How severe is CVE-2025-52548?
How do I fix CVE-2025-52548?
Are you affected by CVE-2025-52548?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST