CVE-2025-52543:

Authentication vulnerability in Copeland LP E3 Site Supervisor Control firmware (< 2.31F01) that allows login using only the password hash due to client-side hashing, enabling remote authentication abuse.

Score
A numerical rating that indicates how dangerous this vulnerability is.

7.5High

Published Date:Sep 2, 2025
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.1
EPSS Percentile:20%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:3.6
Confidentiality Impact:HIGH
Integrity Impact:NONE
Availability Impact:NONE

Description Preview

Overview

Copeland LP's E3 Site Supervisor Control firmware prior to 2.31F01 uses client-side password hashing for authentication, enabling an attacker who obtains a password hash to authenticate to application services without the plaintext password. This constitutes an authentication abuse vulnerability (CWE-836) and can be exploited remotely in network-exposed deployments, posing Confidentiality and Integrity risks with a moderate overall impact.

Remediation

Upgrade the affected E3 Supervisory Controls firmware to a version greater than 2.30F1 (as recommended by the vendor).
If upgrading is not feasible, restrict access to the E3 Supervisory Controls network interface (ETH0) by placing it on a restricted VLAN or subnet and firewalling it from untrusted networks.
Implement network segmentation and restrict administrative access to trusted management networks; monitor and alert on authentication attempts to detect abuse attempts.
After applying the upgrade or mitigations, validate that authentication no longer accepts only a hash and verify with appropriate test credentials and logs.