CVE-2025-52543
📋 TL;DR
This vulnerability allows attackers to authenticate to E3 Site Supervisor Control systems by obtaining only password hashes, bypassing the need for actual passwords. It affects systems running firmware versions below 2.31F01 that use client-side hashing for authentication. Organizations using these systems for building management or industrial control are at risk.
💻 Affected Systems
- E3 Site Supervisor Control
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to take control of building management systems, manipulate environmental controls, disable security systems, or access sensitive operational data.
Likely Case
Unauthorized access to building management systems allowing attackers to monitor operations, disrupt environmental controls, or use the system as a foothold for further network attacks.
If Mitigated
Limited impact if systems are isolated on segmented networks with strict access controls and monitoring, though authentication bypass remains possible.
🎯 Exploit Status
Exploitation requires obtaining password hashes through other means (credential dumping, network sniffing, etc.), but once obtained, authentication bypass is trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.31F01 or later
Vendor Advisory: https://www.armis.com/research/frostbyte10/
Restart Required: Yes
Instructions:
1. Download firmware version 2.31F01 or later from vendor. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Restart system. 5. Verify authentication now requires actual passwords, not just hashes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate E3 Site Supervisor systems on separate VLANs with strict firewall rules limiting access to authorized management stations only.
Credential Protection
allImplement strict password policies and monitor for credential dumping attempts on systems that might store or transmit password hashes.
🧯 If You Can't Patch
- Implement network-level authentication (802.1X) and strict access controls to limit which systems can communicate with the vulnerable services.
- Deploy network monitoring and IDS/IPS systems to detect and block authentication attempts using stolen hashes.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or CLI. If version is below 2.31F01, system is vulnerable.Check Version:
Check via web interface at System > About, or consult vendor documentation for CLI command.Verify Fix Applied:
After patching, verify firmware version is 2.31F01 or later and test authentication requires actual passwords, not just hashes.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful authentication with same credentials
- Multiple authentication attempts from unusual IP addresses
- Authentication logs showing hash-based login patterns
Network Indicators:
- Unusual authentication traffic to MGW/RCI services
- Credential dumping tools communicating with management systems
- Authentication bypass attempts
SIEM Query:
source="e3_logs" AND (event_type="authentication" AND result="success") | stats count by src_ip, user | where count > threshold