CVE-2025-52550:
Unsigned firmware upgrade packages in Copeland LP's E3 Supervisory Control (firmware < 2.31F01) enable an attacker with admin access to forge and install malicious firmware, potentially causing local code execution. The vulnerability is rated high (CVSS 8.6).
Score
A numerical rating that indicates how dangerous this vulnerability is.
7.2High- Published Date:Sep 2, 2025
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.0
- EPSS Percentile:11%
Exploitability
- Score:1.2
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:HIGH
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Unsigned firmware upgrade packages in Copeland LP's E3 Supervisory Control (firmware < 2.31F01) enable an attacker with admin access to forge and install malicious firmware, potentially causing local code execution. The vulnerability is rated high (CVSS 8.6).
Overview
CVE-2025-52550 concerns unsigned firmware upgrade packages in the Copeland LP E3 Supervisory Control product family. The core weakness is improper verification of cryptographic signatures (CWE-347), which permits forging of firmware upgrades and their installation by an attacker who has admin access to the application services. The result can be local code execution on affected devices, with high impact to confidentiality, integrity, and availability. The affected firmware range is versions less than 2.31F01, and the issue is exploitable over the network with high privileges and no user interaction required. A straightforward remediation is to upgrade to a version greater than 2.30F1, after which the firmware should enforce proper signature verification for upgrades.
Remediation
- Upgrade firmware to a version greater than 2.30F1 (per vendor guidance) to close the vulnerability.
- Verify and enforce digital signature checks for all firmware upgrade packages; ensure only signed, vendor-approved updates are installable.
- Restrict admin access to the E3 Supervisory Controls management interfaces:
- Limit administrative access to trusted networks and devices.
- Enforce strong access controls and, if available, multi-factor authentication for admin accounts.
- Implement network-based mitigations:
- Restrict access to the E3 network interface (ETH 0) with VLANs/subnets and/or a firewall.
- Ensure the restricted network segments are not reachable from untrusted networks.
- Establish a change management and validation process:
- Test the upgrade in a controlled environment before production deployment.
- Validate the integrity and authenticity of firmware packages prior to deployment.
- Monitor vendor advisories for additional fixes or recommended configurations and apply them as soon as they are released.
References
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
