- Ten errors in E2 and E3 Copeland were found
- Copeland launched a solution with a firmware update
- When combined, failures can lead to the execution of the remote code
Two Copeland controllers, the electronic control systems used in HVAC refrigerators and applications, carried almost a dozen vulnerabilities that could have been exploited for the privilege escalation and the execution of remote code (RCE), which put thousands of companies in all types of risks.
E2 and E3 Copeland controllers are designed to manage temperature, energy use and system performance. They are commonly found in supermarkets, convenience stores and food service operations and, apparently, are quite popular in the United States.
Recently, security researchers from the Armis operational security firm found a total of 10 vulnerabilities, and collectively appointed Frostbyte10. They reported his findings to Copeland, who issued a firmware update to address defects and mitigate potential risks.
According to the registration, Copeland has a presence in more than 40 countries, with giants such as Kroger, Albertsons and Whole Foods, among its clients. He reported $ 4.75 billion in revenues in 2024.
Firmware update
Of the two controllers, E2 reached the end of life in October, added the publication, but Copeland still issued a firmware update. Users are recommended to update the newest model, E3, and make sure they are running the firmware 2.31F01 version, at least.
The cybersecurity and infrastructure security agency of the USA (CISA) is expected to also issue a notice about these defects, but it was not published at the time of publication. Even so, CISA said that combining problems “can lead to a remote code execution not authenticated with root privileges,” the registration said.
Until now, Armis seems to be the first to discover the defects, since there is no evidence that none of them has been abused in nature before. However, if companies do not repair their devices, they will continue to be vulnerable to widely known publicized failures. Many threat actors intentionally wait for someone else to discover defects, betting that most companies do not apply solutions on time.
Through The registration
