CVE-2025-6519

Summary

E3 Site Supervisor (firmware version < 2.31F01) has a default admin user "ONEDAY" with a daily generated password. An attacker can predictably generate the password for ONEDAY. The oneday user cannot be deleted or modified by any user.

Affected Software

VendorProductVersion RangeStatus
Copeland LPE3 Supervisory Control0 < 2.31F01affected

Weaknesses

  • CWE-522: CWE-522 Insufficiently Protected Credentials

Workarounds

Restrict access to the E3 Supervisory Controls network interface (ETH 0) by use of restricted VLAN or subnet and / or network firewall. Ensure the restricted VLAN or subnet is never accessible from untrusted networks.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References