- Ten bugs were found in E2 and E3 Copeland -Controllers
- Copeland released a solution with a firmware update
- When combined, the deficiencies can lead to the execution of remote code
Two Copeland -Controllers, electronic control systems used in refrigerators and HVAC applications, carried almost a dozen vulnerabilities that could have been utilized for privilege -scaling and remote code execution (RCE), which put thousands of companies at all kinds of risks.
E2 and E3 Copeland controllers are designed to control temperature, energy consumption and system performance. They are often found in supermarkets, grocery stores and food service operations, and apparently they are quite popular in the United States.
Recently, security researchers from the operational technology security company Armis found a total of 10 vulnerabilities and called them collectively Frostbyte10. They reported their findings to Copeland, which issued a firmware update to tackle the deficiencies and reduce potential risks.
According to the register, Copeland has a presence in more than 40 countries, with giants such as Kroger, Albertsons and Whole Foods, who are among its customers. It reported $ 4.75 billion in revenue in 2024.
Firmware update
Of the two controllers, E2 reached out of life in October, the publication added, but Copeland still issued a firmware update. Users are advised to upgrade to the latest model – E3 – and to make sure they run firmware version 2.31F01, at least.
The US Cyber Security and Infrastructure Security Agency (CISA) is also expected to issue advice on these deficiencies, but it was not published by press time. Still, CISA said to combine the problems “can result in unauthorized execution of remote code with root rights,” noted the register.
So far, Armis seems to be the first to discover the shortcomings, as there is no evidence that any of them had been abused in nature before. But if companies do not patch up their devices, they will remain vulnerable to widely known, published deficiencies. Many threat actors are waiting for someone else to discover the shortcomings and bet that most companies do not use the fixes on time.
Via Registered
