{"id":4641,"date":"2025-09-03T02:05:35","date_gmt":"2025-09-03T02:05:35","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4641"},"modified":"2025-09-03T02:05:35","modified_gmt":"2025-09-03T02:05:35","slug":"warning-flaws-in-copeland-ot-controllers-can-be-leveraged-by-threat-actors","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4641","title":{"rendered":"Warning: Flaws in Copeland OT controllers can be leveraged by threat actors"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Experts have warned IT leaders for years that operational technology (OT) devices connected to the internet can have serious vulnerabilities that lead to network compromises. Tuesday, a security company disclosed the discovery of 10 holes in controllers from heating, cooling, and refrigeration system manufacturer Copeland LP that could allow a threat actor to disable or gain remote control of\u00a0 equipment, possibly damaging products and injuring people.<\/p>\n

Armis called the vulnerabilities in Copeland\u2019s E2 and E3 controllers \u201cFrostbyte10\u201d. Its report<\/a> was issued after Copeland released updated firmware version 2.31F01 for the devices, correcting the issues, which CSOs should ensure are promptly installed.<\/p>\n

The vulnerabilities, Armis said, \u201crepresented a potential high value target for attackers seeking to disrupt or ransom retail infrastructure providers.\u201d<\/p>\n

Move toward zero trust<\/h2>\n

\u201cThe flaws discovered could have allowed unauthorized actors to remotely manipulate parameters, disable systems, execute remote code, or gain unauthorized access to sensitive operational data. When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges,\u201d the report said.<\/p>\n

But perhaps the bigger news is the cause of one hole in the E3 firmware: a default admin user, \u201cONEDAY\u201d, with a daily generated password that, in an unpatched system, can be predictably generated by a threat actor (the bug is designated CVE-2025-6519<\/a>). Default admin users and passwords are the bane of any OT or IT system. CSO recently reported on a default password issue with Brother printers. <\/a>\u00a0<\/p>\n

Other E3 vulnerabilities can allow a threat actor to authenticate by obtaining only a password hash, or to get all usernames and password hashes for the application services through an API call, or to access any file by uploading a specially crafted building floor plan.<\/p>\n

The vulnerability in E2 controllers is through the use of a proprietary protocol that allows for unauthenticated file operations (CVE-2025-52551<\/a>).<\/p>\n

\u201cGuessable or predictable passwords embedded in OT devices are common,\u201d Robert Beggs<\/a>, head of Canadian incident response firm Digital Defence, said in an email to CSO<\/em>. \u201cPersons responsible for the management of OT devices are focused on production and reliability of service, not security. As a result, you frequently encounter OT devices that are insecure.\u201d<\/p>\n

To ensure security, organizations have to move towards a zero trust architecture for deploying OT devices, Beggs said. That includes verifying user identity, enforcing multifactor authentication, supporting role-based access, and ensuring that all access to devices are securely monitored and logged.\u00a0\u00a0<\/p>\n

Related content:<\/strong> CISOs struggle to implement zero trust<\/a><\/p>\n

Asked for comment on the Armis report, Copeland sent a statement to CSO<\/em> saying that safeguarding the quality and security of the company\u2019s products and customers\u2019\u00a0applications\u00a0\u201cis our top priority. Our E2 and E3 controllers have provided reliable service for more than two decades to hundreds of companies and across essential industries such as\u00a0food retail, refrigeration, industrial processing, and cold storage.\u00a0We actively partner with the global cybersecurity community to help us\u00a0continue to\u00a0improve our products and advance industrywide standards\u00a0as cybersecurity environments and threats continue to evolve and expand,\u201d the company said.\u00a0<\/p>\n

\u201cUpon being notified of\u00a0potential E2 and E3 vulnerabilities,\u00a0Copeland engineers\u00a0acted immediately\u00a0to\u00a0swiftly address\u00a0potential issues and\u00a0ensure our customers\u2019 systems remained secure,\u00a0while\u00a0maintaining\u00a0transparent communication with all potentially affected customers,\u201d Copeland continued. \u201cAt this time, there are no known exploits of the\u00a0potential\u00a0vulnerabilities. We strongly encourage our customers to apply the available patches promptly to ensure continued security.\u201d\u00a0<\/p>\n

\u2018Expected shortcomings\u2019<\/h2>\n

The E2 Facility Management System is designed to provide complete control of building and refrigeration systems, including compressor groups, condensers, walk-ins, HVAC units, and lighting, Copeland said<\/a>.\u00a0\u00a0<\/p>\n

The newer E3<\/a> system adds a built-in touch-screen display with a web-accessible interface and integration with Copeland\u2019s supervisory control software. The E3 system replaces the E2, which went end-of-life in October, 2024. However, some organizations may still be using E2 systems, and the use of an unauthenticated proprietary protocol in E2 controllers permits sensitive operations without any form of identity verification or encryption. \u201cThese are not just coding oversights,\u201d says Armis, \u201cthey represent structural risks that can persist in OT environments for years.\u201d<\/p>\n

The findings by Armis aren\u2019t uncommon, said Beggs. \u201cIn fact,\u201d he added, \u201cthey might fall under the umbrella of \u2018expected shortcomings.\u2019\u00a0 Until the most recent past, [OT] devices were judged primarily on whether or not they worked, and performed expected tasks.\u00a0They were not expected to provide secure functionality, and there was no reward or penalty for an insecure device.\u201d\u00a0<\/p>\n

Demand secure OT devices<\/h2>\n

Because of this, Beggs warned, \u201cif organizations don\u2019t demand secure devices, they will not be provided by the vendor.\u201d<\/p>\n

Related content:<\/strong> Navigating the future of OT security<\/a><\/p>\n

There have been changes lately in OT cybersecurity, he added, because customers are recognizing the security risks associated with internet-connected devices. But, he said, the changed perspective has to be matched by real changes in how OT devices are acquired and managed.<\/p>\n

First, he said, there has to be a requirement or client demand for secure operations. Second, the schism between IT and OT management has to be resolved.\u00a0\u201cIt is completely typical\u00a0to be asked to do a penetration test of the wired and wireless networks, and then be told to ignore the OT devices because they are managed by a different department,\u201d he said.<\/p>\n

Network tools (cybersecurity intelligence, automated inventory, security configuration and management, patching, reporting) have to include OT networks as well as the more common IT networks, Beggs stressed. And incident response processes have to embrace the OT network.<\/p>\n

\u201cPresently, the OT network is treated so differently from the IT network that security processes are rare,\u201d he said.\u00a0\u201cWhere they do exist, they are usually a duplicate of what is being offered on the IT network, increasing the cost and complexity of management.\u00a0 Overcoming the \u2018great schism\u2019 will reduce costs and potential liability for all users.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Experts have warned IT leaders for years that operational technology (OT) devices connected to the internet can have serious vulnerabilities that lead to network compromises. Tuesday, a security company disclosed the discovery of 10 holes in controllers from heating, cooling, and refrigeration system manufacturer Copeland LP that could allow a threat actor to disable or […]<\/p>\n","protected":false},"author":0,"featured_media":4642,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4641","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4641"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4641"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4641\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4642"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}