CVE-2025-52548
Enabling SSH and Shellinabox on the vulnerable machine
In short
A hidden feature in E3 Site Supervisor Control firmware allows administrators to enable SSH and remote shell access that are normally disabled. An attacker with admin credentials could use this to gain unauthorized access to the system's underlying operating system.
Technical detail
CVE-2025-52548 exploits an undisclosed API endpoint in E3 Site Supervisor Control (firmware < 2.31F01) that permits activation of pre-existing but disabled SSH and Shellinabox services. The attack requires valid administrative credentials to the application services layer; successful exploitation grants remote OS-level access, bypassing intended security restrictions on remote connectivity.
Summary generated and translated by AI from the official description.
E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker with admin access to the application services can utilize this API to enable remote access to the underlying OS.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
Copeland LP · E3 Supervisory ControlWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →