CVE-2025-52545 – CVE-2025-52545 allows attackers to retrieve all... (How to Fix)

Q: How do I fix CVE-2025-52545?

1. Download firmware version 2.31F01 or later from vendor. 2. Backup current configuration. 3. Apply firmware update via management interface. 4. Reboot device. 5. Verify version update.

Q: What is the severity of CVE-2025-52545?

CVE-2025-52545 has a CVSS score of 7.5 (HIGH). CVE-2025-52545 allows attackers to retrieve all usernames and password hashes via an API call in the RCI service of E3 Site Supervisor Control. This affects systems running firmware versions below 2.31F01, potentially exposing authentication credentials for application services.

📋 TL;DR

CVE-2025-52545 allows attackers to retrieve all usernames and password hashes via an API call in the RCI service of E3 Site Supervisor Control. This affects systems running firmware versions below 2.31F01, potentially exposing authentication credentials for application services.

💻 Affected Systems

Products:

E3 Site Supervisor Control

Versions: firmware version < 2.31F01

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the RCI service component; all configurations with this service enabled are affected.

📦 What is this software?

E3 Supervisory Controller Firmware by Copeland

View all CVEs affecting E3 Supervisory Controller Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete credential compromise leading to unauthorized access, privilege escalation, lateral movement, and potential system takeover across all application services.

🟠

Likely Case

Credential harvesting enabling unauthorized access to application services, potentially leading to data theft or manipulation.

🟢

If Mitigated

Limited exposure if strong network segmentation and access controls prevent external or unauthorized internal access to the vulnerable API.

🌐 Internet-Facing: HIGH if the RCI service is exposed to the internet, as attackers can remotely harvest credentials without authentication.

🏢 Internal Only: MEDIUM if accessible only internally, but still poses credential theft risk from compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves a simple API call to the RCI service; no authentication required based on description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.31F01 or later

Vendor Advisory: https://www.armis.com/research/frostbyte10/

Restart Required: Yes

Instructions:

1. Download firmware version 2.31F01 or later from vendor. 2. Backup current configuration. 3. Apply firmware update via management interface. 4. Reboot device. 5. Verify version update.

🔧 Temporary Workarounds

Disable RCI Service

all

Disable the vulnerable RCI service if not required for operations.

Check vendor documentation for specific disable commands

Network Segmentation

all

Restrict network access to the RCI service using firewall rules.

iptables -A INPUT -p tcp --dport [RCI_PORT] -j DROP
netsh advfirewall firewall add rule name="Block RCI" dir=in action=block protocol=TCP localport=[RCI_PORT]

🧯 If You Can't Patch

Implement strict network access controls to limit RCI service exposure to trusted IPs only.
Monitor network traffic to the RCI service for unauthorized access attempts and credential extraction patterns.

🔍 How to Verify

Check if Vulnerable:

Check firmware version via device management interface; if version is below 2.31F01, system is vulnerable.

Check Version:

Check via device CLI or web interface; specific command varies by vendor implementation.

Verify Fix Applied:

Confirm firmware version is 2.31F01 or later after update; test API call to RCI service to ensure it no longer returns credential data.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to RCI service
Multiple failed authentication attempts following credential exposure

Network Indicators:

HTTP requests to RCI service endpoints from unauthorized sources
Traffic patterns indicating credential harvesting

SIEM Query:

source="device_logs" AND (event="RCI_API_call" OR event="credential_access")

📊 Metadata

CVE ID: CVE-2025-52545

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-522

EPSS Score: 0.05% exploit probability (13.5th percentile)

Published: September 2, 2025

Last Updated: October 1, 2025

🔗 References

https://www.armis.com/research/frostbyte10/ Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52545, you might also want to check these: