Frostbyte10 bugs put thousands of refrigerators at major grocery chains at risk
(2025/09/02)
- Reference: 1756803615
- News link: https://www.theregister.co.uk/2025/09/02/frostbyte10_copeland_controller_bugs/
- Source link:
Ten vulnerabilities in Copeland controllers, which are found in thousands of devices used by the world's largest supermarket chains and cold storage companies, could have allowed miscreants to manipulate temperatures and spoil food and medicine, leading to massive supply-chain disruptions.
The flaws, collectively called Frostbyte10, affect Copeland E2 and E3 controllers, used to manage critical building and refrigeration systems, such as compressor groups, condensers, walk-in units, HVAC, and lighting systems. Three received critical-severity ratings.
Operational technology security firm Armis found and reported the 10 bugs to Copeland, which has since issued firmware updates that fix the flaws in both the [1]E3 and the [2]E2 controllers. The E2s reached their official end-of-life in October, and affected customers are encouraged to move to the newer E3 platform. Upgrading to Copeland firmware version 2.31F01 mitigates all the security issues detailed here, and the vendor recommends patching promptly.
[3]
In addition to the Copeland updates, the US Cybersecurity and Infrastructure Security Agency (CISA) is also scheduled to release advisories today, urging any organization that uses vulnerable controllers to patch immediately. Prior to these publications, Copeland and Armis execs spoke exclusively to The Register about Frostbyte10, and allowed us to preview an Armis report about the security issues.
[4]
[5]
"When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges," it noted.
From remote device manipulation to food supply disruption
Copleand makes heating, cooling, and industrial technology and has a presence in more than 40 countries worldwide. It counts Kroger, Albertsons, and Whole Foods among its refrigeration systems' customers, and generated $4.75 billion in revenue last year.
According to Copeland VP of Software Josh Weaver, about two-thirds of grocery stores in North America use its products. "Not all of those are in scope for what we're talking about today, to be clear," Weaver told The Register . "But you and your readers, more likely than not, have stepped foot into the stores that we support."
For retailers: their supplies, their food, everything that's being held in that fashion is absolutely a target
To be clear: there is no indication that any of these vulnerabilities were found and exploited in the wild before Copeland issued fixes.
However, the manufacturer's ubiquitous reach across retail and cold storage makes it a prime target for all manner of miscreants, from nation-state attackers looking to disrupt the food supply chain to ransomware gangs looking for victims who will quickly pay extortion demands to avoid operational downtime and food spoilage. Case in point: [6]JBS Foods made an [7]$11 million ransom payment to REvil criminals several years ago.
"Attackers go after the targets that would generate the most revenue or advantage," Armis CTO and co-founder Nadir Israel told The Register . "If I can hold for ransom, something where the business loses money every second that goes by, that's what I'm targeting. For retailers: their supplies, their food, everything that's being held in that fashion is absolutely a target."
[8]
Almost five months ago, Armis Labs network researchers Shaul Garbuz and Alon Cohen spotted the first of the 10 bugs while working with one of his company's large retail customers to identify the Copeland devices in the retailer's environment.
"In the process of researching how we can analyze the traffic and try to communicate with these devices in our lab, we saw some potential red flags," Garbuz told The Register . "It started with us accidentally crashing one of the devices — this is one of the vulnerabilities — by communicating with it in an incorrect way. And then we started digging in."
That flaw, now tracked as CVE-2025-52547, results in denial-of-service to the application services, and it's due to an API call that lacks input validation.
[9]Lock down your critical infrastructure, CISA begs admins
[10]Ransomware scum have put a target on the no man's land between IT and operations
[11]Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks
[12]Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing
Nine of the flaws exist in the E3 firmware version earlier than 2.31F01, while the final bug affects E2 controllers. Here are all 10 CVEs:
CVE-2025-6519, a CVSS 9.3 stored cross-side scripting (XSS) vulnerability in E3 Site Supervisor Control due to a default admin user "ONEDAY" with a daily generated password that can be predictably generated; the ONEDAY user can not be deleted or modified.
CVE-2025-52543, a CVSS 5.3 authentication flaw in two E3 application services (Management Gateway or MGW, and Remote Communication Interface or RCI) that use client-side hashing for authentication. An attacker can authenticate by obtaining only the password hash.
CVE-2025-52544, a CVSS 8.8 arbitrary read vulnerability in E3. The controller has a floor plan feature that allows for an unauthenticated attacker to upload specially crafted floor plan files and then access any file from the E3 file system.
CVE-2025-52545, a CVSS 7.7 privilege escalation bug in E3. The RCI service contains an API call to read users info, which returns all usernames and password hashes for the application services.
CVE-2025-52546, a CVSS 5.1 XXS flaw in E3, due to a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. An attacker can upload a specially-crafted floor plan file, and then inject a stored XSS to the floorplan web page.
CVE-2025-52547, a CVSS 8.7 denial of service (DoS) bug in E3. The MGW service contains an API call that lacks input validation, and this can be abused by an attacker to continuously crash the application services.
CVE-2025-52548, a CVSS 6.9 security issue in E3 that's caused by a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. However, an attacker with admin access to the application services can abuse this API to enable remote access to the underlying OS.
CVE-2025-52549, a CVSS 9.2 bug in E3 generates the root Linux password on each boot. This allows an attacker to generate the root Linux password for a vulnerable device based on known or easy-to-fetch parameters.
CVE-2025-52550, a CVSS 8.6 in E3 caused by unsigned firmware upgrade packages. An attacker with admin access to the application services can forge a firmware upgrade packages and then install the malicious version.
CVE-2025-52551, a CVSS 9.3 in E2 Facility Management Systems, which use a proprietary protocol that allows for unauthenticated file operations on any file in the file system.
The end-of-life E2 controllers use an unencrypted protocol, which made it easy for the researchers to reverse engineer it. "Once we understood the protocol, we we could do pretty much whatever we want — override files, run code," Garbuz said.
You can update the firmware for the device and give it a malicious firmware. You can run code on the device. This is pretty much maximum control over the device. And this is not yet the remote code execution
The other nine bugs affect E3 devices, and an attacker could chain some of these together to achieve all sorts of nefarious results. For example, CVE-2025-6519, which is due to a predictable password that's generated daily (the password includes the date), can be abused to gain system administrator privileges. When chained to CVE-2025-52549, which allows an attacker to predict the Linux root password, it can be exploited to remotely control other managed devices, or change settings and alerts.
"That's enough to disturb the operations of the facility," Garbuz said. "You can remove other users. You can prevent access for other humans from using the machine. You can update the firmware for the device and give it a malicious firmware. You can run code on the device. This is pretty much maximum control over the device. And this is not yet the remote code execution."
[13]
The reason Copeland created this default admin user "ONEDAY" with a predictable, daily password was due to customer demand, Weaver explained, because it made it easier for refrigeration contractors to remotely access and control the systems.
"The customers asked us to give them repeatable passwords, which is generally a no-no in the security industry," he said. "This almost goes to a philosophical question: if a customer is specifically asking you to do something, in fact, they're demanding it, but it's not the most secure way to access their product, should you try to correct them?"
Ultimately, the answer here is yes, and the devices no longer use predictable passwords with admin privileges. "Copeland jumped on this, even though there hasn't been an issue, it was something we wanted to address as soon as we were made aware of it," Weaver said, adding that even though this flaw didn't allow RCE, "if you can update your own firmware, it almost doesn't matter."
If an attacker did want to execute code remotely, they would need to chain the previous two flaws (CVE-2025-6519 and CVE-2025-52549) with CVE-2025-52548 that's caused by a hidden API call in the application services that enables SSH and Shellinabox. SSH and Shellinabox can be abused to execute commands on a remote server as if directly logged in, and chaining these three can result in unauthenticated RCE with root privileges. ®
Get our [14]Tech Resources
[1] https://www.copeland.com/en-us/products/controls-monitoring-systems/facility-controls-electronics/facility-and-system-controls/supervisory-controls-e3#section9
[2] https://www.copeland.com/en-us/products/controls-monitoring-systems/facility-controls-electronics/facility-and-system-controls/e2-facility-management-system#firmware-updates
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLbAOMq_b6rd0JH_fXrz9AAAAMk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLbAOMq_b6rd0JH_fXrz9AAAAMk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLbAOMq_b6rd0JH_fXrz9AAAAMk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2021/06/02/jbs_fodds_ransomwaree
[7] https://www.npr.org/2021/06/09/1004964822/jbs-paid-an-11-million-ransom-to-cyberattackers
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLbAOMq_b6rd0JH_fXrz9AAAAMk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/08/14/cisa_begs_ot_admins_to/
[10] https://www.theregister.com/2025/05/14/ransomware_targets_middle_systems_sans/
[11] https://www.theregister.com/2024/12/13/iran_cyberweapon_us_attacks/
[12] https://www.theregister.com/2024/10/02/cisa_optigo_switch_flaws/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLbAOMq_b6rd0JH_fXrz9AAAAMk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
The flaws, collectively called Frostbyte10, affect Copeland E2 and E3 controllers, used to manage critical building and refrigeration systems, such as compressor groups, condensers, walk-in units, HVAC, and lighting systems. Three received critical-severity ratings.
Operational technology security firm Armis found and reported the 10 bugs to Copeland, which has since issued firmware updates that fix the flaws in both the [1]E3 and the [2]E2 controllers. The E2s reached their official end-of-life in October, and affected customers are encouraged to move to the newer E3 platform. Upgrading to Copeland firmware version 2.31F01 mitigates all the security issues detailed here, and the vendor recommends patching promptly.
[3]
In addition to the Copeland updates, the US Cybersecurity and Infrastructure Security Agency (CISA) is also scheduled to release advisories today, urging any organization that uses vulnerable controllers to patch immediately. Prior to these publications, Copeland and Armis execs spoke exclusively to The Register about Frostbyte10, and allowed us to preview an Armis report about the security issues.
[4]
[5]
"When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges," it noted.
From remote device manipulation to food supply disruption
Copleand makes heating, cooling, and industrial technology and has a presence in more than 40 countries worldwide. It counts Kroger, Albertsons, and Whole Foods among its refrigeration systems' customers, and generated $4.75 billion in revenue last year.
According to Copeland VP of Software Josh Weaver, about two-thirds of grocery stores in North America use its products. "Not all of those are in scope for what we're talking about today, to be clear," Weaver told The Register . "But you and your readers, more likely than not, have stepped foot into the stores that we support."
For retailers: their supplies, their food, everything that's being held in that fashion is absolutely a target
To be clear: there is no indication that any of these vulnerabilities were found and exploited in the wild before Copeland issued fixes.
However, the manufacturer's ubiquitous reach across retail and cold storage makes it a prime target for all manner of miscreants, from nation-state attackers looking to disrupt the food supply chain to ransomware gangs looking for victims who will quickly pay extortion demands to avoid operational downtime and food spoilage. Case in point: [6]JBS Foods made an [7]$11 million ransom payment to REvil criminals several years ago.
"Attackers go after the targets that would generate the most revenue or advantage," Armis CTO and co-founder Nadir Israel told The Register . "If I can hold for ransom, something where the business loses money every second that goes by, that's what I'm targeting. For retailers: their supplies, their food, everything that's being held in that fashion is absolutely a target."
[8]
Almost five months ago, Armis Labs network researchers Shaul Garbuz and Alon Cohen spotted the first of the 10 bugs while working with one of his company's large retail customers to identify the Copeland devices in the retailer's environment.
"In the process of researching how we can analyze the traffic and try to communicate with these devices in our lab, we saw some potential red flags," Garbuz told The Register . "It started with us accidentally crashing one of the devices — this is one of the vulnerabilities — by communicating with it in an incorrect way. And then we started digging in."
That flaw, now tracked as CVE-2025-52547, results in denial-of-service to the application services, and it's due to an API call that lacks input validation.
[9]Lock down your critical infrastructure, CISA begs admins
[10]Ransomware scum have put a target on the no man's land between IT and operations
[11]Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks
[12]Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing
Nine of the flaws exist in the E3 firmware version earlier than 2.31F01, while the final bug affects E2 controllers. Here are all 10 CVEs:
CVE-2025-6519, a CVSS 9.3 stored cross-side scripting (XSS) vulnerability in E3 Site Supervisor Control due to a default admin user "ONEDAY" with a daily generated password that can be predictably generated; the ONEDAY user can not be deleted or modified.
CVE-2025-52543, a CVSS 5.3 authentication flaw in two E3 application services (Management Gateway or MGW, and Remote Communication Interface or RCI) that use client-side hashing for authentication. An attacker can authenticate by obtaining only the password hash.
CVE-2025-52544, a CVSS 8.8 arbitrary read vulnerability in E3. The controller has a floor plan feature that allows for an unauthenticated attacker to upload specially crafted floor plan files and then access any file from the E3 file system.
CVE-2025-52545, a CVSS 7.7 privilege escalation bug in E3. The RCI service contains an API call to read users info, which returns all usernames and password hashes for the application services.
CVE-2025-52546, a CVSS 5.1 XXS flaw in E3, due to a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. An attacker can upload a specially-crafted floor plan file, and then inject a stored XSS to the floorplan web page.
CVE-2025-52547, a CVSS 8.7 denial of service (DoS) bug in E3. The MGW service contains an API call that lacks input validation, and this can be abused by an attacker to continuously crash the application services.
CVE-2025-52548, a CVSS 6.9 security issue in E3 that's caused by a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. However, an attacker with admin access to the application services can abuse this API to enable remote access to the underlying OS.
CVE-2025-52549, a CVSS 9.2 bug in E3 generates the root Linux password on each boot. This allows an attacker to generate the root Linux password for a vulnerable device based on known or easy-to-fetch parameters.
CVE-2025-52550, a CVSS 8.6 in E3 caused by unsigned firmware upgrade packages. An attacker with admin access to the application services can forge a firmware upgrade packages and then install the malicious version.
CVE-2025-52551, a CVSS 9.3 in E2 Facility Management Systems, which use a proprietary protocol that allows for unauthenticated file operations on any file in the file system.
The end-of-life E2 controllers use an unencrypted protocol, which made it easy for the researchers to reverse engineer it. "Once we understood the protocol, we we could do pretty much whatever we want — override files, run code," Garbuz said.
You can update the firmware for the device and give it a malicious firmware. You can run code on the device. This is pretty much maximum control over the device. And this is not yet the remote code execution
The other nine bugs affect E3 devices, and an attacker could chain some of these together to achieve all sorts of nefarious results. For example, CVE-2025-6519, which is due to a predictable password that's generated daily (the password includes the date), can be abused to gain system administrator privileges. When chained to CVE-2025-52549, which allows an attacker to predict the Linux root password, it can be exploited to remotely control other managed devices, or change settings and alerts.
"That's enough to disturb the operations of the facility," Garbuz said. "You can remove other users. You can prevent access for other humans from using the machine. You can update the firmware for the device and give it a malicious firmware. You can run code on the device. This is pretty much maximum control over the device. And this is not yet the remote code execution."
[13]
The reason Copeland created this default admin user "ONEDAY" with a predictable, daily password was due to customer demand, Weaver explained, because it made it easier for refrigeration contractors to remotely access and control the systems.
"The customers asked us to give them repeatable passwords, which is generally a no-no in the security industry," he said. "This almost goes to a philosophical question: if a customer is specifically asking you to do something, in fact, they're demanding it, but it's not the most secure way to access their product, should you try to correct them?"
Ultimately, the answer here is yes, and the devices no longer use predictable passwords with admin privileges. "Copeland jumped on this, even though there hasn't been an issue, it was something we wanted to address as soon as we were made aware of it," Weaver said, adding that even though this flaw didn't allow RCE, "if you can update your own firmware, it almost doesn't matter."
If an attacker did want to execute code remotely, they would need to chain the previous two flaws (CVE-2025-6519 and CVE-2025-52549) with CVE-2025-52548 that's caused by a hidden API call in the application services that enables SSH and Shellinabox. SSH and Shellinabox can be abused to execute commands on a remote server as if directly logged in, and chaining these three can result in unauthenticated RCE with root privileges. ®
Get our [14]Tech Resources
[1] https://www.copeland.com/en-us/products/controls-monitoring-systems/facility-controls-electronics/facility-and-system-controls/supervisory-controls-e3#section9
[2] https://www.copeland.com/en-us/products/controls-monitoring-systems/facility-controls-electronics/facility-and-system-controls/e2-facility-management-system#firmware-updates
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLbAOMq_b6rd0JH_fXrz9AAAAMk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLbAOMq_b6rd0JH_fXrz9AAAAMk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLbAOMq_b6rd0JH_fXrz9AAAAMk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2021/06/02/jbs_fodds_ransomwaree
[7] https://www.npr.org/2021/06/09/1004964822/jbs-paid-an-11-million-ransom-to-cyberattackers
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLbAOMq_b6rd0JH_fXrz9AAAAMk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/08/14/cisa_begs_ot_admins_to/
[10] https://www.theregister.com/2025/05/14/ransomware_targets_middle_systems_sans/
[11] https://www.theregister.com/2024/12/13/iran_cyberweapon_us_attacks/
[12] https://www.theregister.com/2024/10/02/cisa_optigo_switch_flaws/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLbAOMq_b6rd0JH_fXrz9AAAAMk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
"an API call that lacks input validation"
simonlb
That and using an unencrypted protocol for communication? FFS! When, why and by what massively stupid idiot was this shit approved as production ready? I could understand this level of crass negligence 25 years ago but now? It boggles the mind.
Anonymous Coward
"The customers asked us to give them repeatable passwords, which is generally a no-no in the security industry," he said. "This almost goes to a philosophical question: if a customer is specifically asking you to do something, in fact, they're demanding it, but it's not the most secure way to access their product, should you try to correct them?"
Yes, you should. Because when it all goes wrong you'll get blamed. So you look for a solution that doesnt involve huge admin overhead, but still secures the product.
Thats the reason why SSO solutions exist.
ParlezVousFranglais
Also missing the glaringly obvious opportunity to create and upsell their own proprietary multi-client, multi-site Password Manager product, thereby handling security properly, keeping both their clients and reseller/support network happy, and making a few extra $$$ on top
"The reason Copeland created this default admin user "ONEDAY" with a predictable, daily password was due to customer demand, Weaver explained, because it made it easier for refrigeration contractors to remotely access and control the systems. "
Ah, yes. Convenience. It will be so convenient for service to remotely access the systems to fix them after they've been so inconveniently shut down by miscreant who found it so convenient to log in remotely to break them.
Convenience beats security every time.