Frostbyte10 Bugs Put Thousands of Refrigerators At Major Grocery Chains At Risk

An anonymous reader quotes a report from The Register: Ten vulnerabilities in Copeland controllers, which are found in thousands of devices used by the world's largest supermarket chains and cold storage companies, could have allowed miscreants to manipulate temperatures and spoil food and medicine, leading to massive supply-chain disruptions. The flaws, collectively called Frostbyte10, affect Copeland E2 and E3 controllers, used to manage critical building and refrigeration systems, such as compressor groups, condensers, walk-in units, HVAC, and lighting systems. Three received critical-severity ratings. Operational technology security firm Armis found and reported the 10 bugs to Copeland, which has since issued firmware updates that fix the flaws in both the E3 and the E2 controllers. The E2s reached their official end-of-life in October, and affected customers are encouraged to move to the newer E3 platform. Upgrading to Copeland firmware version 2.31F01 mitigates all the security issues detailed here, and the vendor recommends patching promptly.

In addition to the Copeland updates, the US Cybersecurity and Infrastructure Security Agency (CISA) is also scheduled to release advisories today, urging any organization that uses vulnerable controllers to patch immediately. Prior to these publications, Copeland and Armis execs spoke exclusively to The Register about Frostbyte10, and allowed us to preview an Armis report about the security issues. "When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges," it noted. [...] To be clear: there is no indication that any of these vulnerabilities were found and exploited in the wild before Copeland issued fixes. However, the manufacturer's ubiquitous reach across retail and cold storage makes it a prime target for all manner of miscreants, from nation-state attackers looking to disrupt the food supply chain to ransomware gangs looking for victims who will quickly pay extortion demands to avoid operational downtime and food spoilage.

Here are all 10 CVEs highlighted by The Register:

- CVE-2025-6519, a CVSS 9.3 vulnerability in E3 Site Supervisor Control due to a default admin user "ONEDAY" with a daily generated password that can be predictably generated; the ONEDAY user can not be deleted or modified.
- CVE-2025-52543, a CVSS 5.3 authentication flaw in two E3 application services (Management Gateway or MGW, and Remote Communication Interface or RCI) that use client-side hashing for authentication. An attacker can authenticate by obtaining only the password hash.
- CVE-2025-52544, a CVSS 8.8 arbitrary read vulnerability in E3. The controller has a floor plan feature that allows for an unauthenticated attacker to upload specially crafted floor plan files and then access any file from the E3 file system.
- CVE-2025-52545, a CVSS 7.7 privilege escalation bug in E3. The RCI service contains an API call to read users info, which returns all usernames and password hashes for the application services.
- CVE-2025-52546, a CVSS 5.1 XSS flaw in E3, due to a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. An attacker can upload a specially-crafted floor plan file, and then inject a stored XSS to the floorplan web page.
- CVE-2025-52547, a CVSS 8.7 denial of service (DoS) bug in E3. The MGW service contains an API call that lacks input validation, and this can be abused by an attacker to continuously crash the application services.
- CVE-2025-52548, a CVSS 6.9 security issue in E3 that's caused by a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. However, an attacker with admin access to the application services can abuse this API to enable remote access to the underlying OS.
- CVE-2025-52549, a CVSS 9.2 bug in E3 generates the root Linux password on each boot. This allows an attacker to generate the root Linux password for a vulnerable device based on known or easy-to-fetch parameters.
- CVE-2025-52550, a CVSS 8.6 in E3 caused by unsigned firmware upgrade packages. An attacker with admin access to the application services can forge a firmware upgrade packages and then install the malicious version.
- CVE-2025-52551, a CVSS 9.3 in E2 Facility Management Systems, which use a proprietary protocol that allows for unauthenticated file operations on any file in the file system.

I can't see how food storage can be 100% automated

[93 Escort Wagon]

There should always be at least a few people on-site at any of these locations. So why are these things on the internet?

Re:

[XXongo]

There should always be at least a few people on-site at any of these locations. So why are these things on the internet?

The person on-site at a grocery store at 2 in the morning is the security guard. The security guard is not likely to be tasked with monitoring the freezer temperatures, and wouldn't have the slightest notion what to do if the temperature is wrong.

Re:

[dbialac]

Let me see:

Step 1: Go look at the thermostat on a refrigerator with a numeric ID.
Step 2: Look at the piece of paper that has the ID and the temperature it should be at
Step 3: If there is a mismatch, notify management
Step 4: Look at the next refrigerator.

I think the security guard can handle that duty. Also, depending where you are, some areas have 24 hour grocery stores. I used to live in such an area and loved the fact that I could go get groceries at 12:30 at night and go right up to the cashier w

Re:

[wyHunter]

He or she could, but it's likely they are a contracted out security company, not a supermarket employee. I'm not sure some of them could. These things shouldn't be on the internet. Even in grocery stores that aren't open 24 hours often there's overnight truck unloading and stocking.

Re:

[luis_a_espinal]

These things shouldn't be on the internet.

It depends. There's nothing wrong with these industrial devices pushing warnings or alarms to some "central" aggregator (the same way a security alarm signals ADT for an intrusion or fire.)

So, egress signals are ok. The problem is ingress - they can't be wide open. And updates must be roll-back'able. I've worked with platforms that have partitioned hardware to hold multiple firmware/app-ware to allow a transparent rollback if an upgrade fails.

There is a technical and business case to have these systems

Re:

[bill_mcgonigle]

People don't have to do this.

We have alarms to alert when the temperature is out of whack.

Maybe once a month some calibration data should be gathered.

And, yes, the alarms should not be on the Internet.

Re:I can't see how food storage can be 100% automa

[93 Escort Wagon]

A couple of my relatives work at grocery stores. At least at their stores, overnight is when re-stocking of the shelves and freezer cases happens (plus some, like Winco and Walmart, are actually open 24/7).

Re:

[drinkypoo]

Can confirm. Safeway calls this the "midnight down" crew. I did uniformed security at a Safeway in Santa Cruz for a while. That store was open all night, but even if it wasn't, there would still be employees in it.

Re:

[groobly]

There either are or can be audible and visual alarms when temp is out of range. At that point, the security guard calls the company, the company calls its wizard, and the wizard tries to troubleshoot over the internet to avoid getting out of his jammies.

Re:

[Anonymous Coward]

The E2s reached their official end-of-life in October, and affected customers are encouraged to move to the newer E3 platform.

When you have to worry about patching your refrigerator you are very nearly at peak stupidity.

Re:

[thegarbz]

Errr no, food storage facilities do not have 24/7 staffing. Heck critical medicine storage facilities do not have 24/7 staffing. You're also right, they can't be 100% automated. 85% automated on the other hand is perfectly fine to cover work hours.

Re:

[jenningsthecat]

obviously the way to remote manage this is to have the controller pc list the temps on a display and then a camera pointed at that display reads the characters and relays changes to the people monitoring. literal airgap

whats great is half of you will take this as over the top sarcastic and the other half deadly serious

Personally, I think that you're serious about the basic idea, and over-the-top about the implementation.

There's no reason to point cameras at a display - simply take the figures that are or would be on the display, and send them via der interwebs as data. Then emergency interventions can be relegated to local on-call techs who respond to out-of-range alarms. Alternatively - or additionally - a very limited range of remote temperature control could be hard coded into the controller, to allow for remote adjus

Re:

[Firethorn]

On tweaking - the thermometer that reports the temperature on the internet could be completely separate from the thermostat controlling the refrigeration system.

Re:

[dgatwood]

On tweaking - the thermometer that reports the temperature on the internet could be completely separate from the thermostat controlling the refrigeration system.

To put another way, there's exactly no reason to allow remote control over refrigeration like this. The refrigerator is designed to keep the contents at a particular target temperature, and no amount of remote intervention is likely to fix it if it fails to do so.

The only reason you would want to change the temperature would be if you changed what products were going into that refrigerator, and that means you're physically at the unit and can change the temperature manually just as easily.

So yeah, just sti

About 30 years ago

[Powercntrl]

A film called "Hackers" was released in 1995. It depicted devices and infrastructure being manipulated, despite that at the time the movie was made, most of the things shown were not typically connected to the Internet. That broke my suspension of disbelief at the time, and among my friends we mocked it for just being another example of Hollywood being, well, Hollywood. Nowadays though, all sorts of things that shouldn't be connected to the internet, are.

Whoever thought it would be a good idea to connect commercial refrigeration to the internet should be forced to watch that movie on repeat until they get the message. Thirty fucking years ago Hollywood saw it coming, and you went and did it anyway.

Re:

[ndsurvivor]

I agree, it is a frickin thermostat. Why connect it to the internet? Hype? Buzzwords? At most it should be read only for monitoring, and maybe a local LAN for control, at most. Really, there should just be a temp control next to the freezer with up down buttons and a display.

Re:

[thegarbz]

Whoever thought it would be a good idea to connect commercial refrigeration to the internet should be forced to watch that movie on repeat until they get the message.

What message is that going to send? Make your life more complicated and less automated on the off chance that a hacker may identify a vulnerability and mess with your infrastructure.

Did you read the news today? It's about bugs identified that could allow hackers to gain access. That is, detection, pre-announcing, giving people the opportunity to assess risk and take action. Any actual problem postulated in this case was a theoretical what-if scenario. The news today was not "10s of thousands of refrigerator

Re:

[jenningsthecat]

Humans make poor judgement on rare risk events. Getting people to watch hackers won't change their behaviour because it remains a rare risk event.

I'm no expert, and bad news is often over-reported. So I'm going to pose this as a question rather than as a statement: Given that we hear so much news about major hacks and data breaches, are we really talking about "a rare risk event"?

Re:

[thegarbz]

Yes. Multiply the news by the number of companies, by the number which occur in any given year, and you end up with event that may affect you in 1/100years+ for any individual company, lower if that company is irrelevant little shop no one has heard of. If you run a typical small company you could take *no* security measures and you're still likely to not have a problem over your tenure over the business.

That's the issue with rare risk events. That 1/100 year event may not occur for 99 years, or it may occu

Re:

[dbialac]

And here we are today with AI. We program guardrails, or so we think, but AI knows more than any one of us.

Re:

[Falos]

The 's' in IoT stands for 'security'

Here it comes

[spaceman375]

WW3, where superpowers go to war, will not be nuclear. It will begin with the swift destruction of one country's infrastructure via the internet. Likely so crippling that the response is delayed, blunted, and ineffectual. Even if the military systems are largely unaffected, the civilian damage will surpass Hiroshima, since it will cover the country rather than a city or two. Looking at a picture of Xi, Putin, and Kim, I have a very bad feeling about this. Maybe I should move to New Zealand.

Re:Here it comes

[dbialac]

Maybe I should move to New Zealand.

TIL New Zealand is safe from hackers.

Re:

[thegarbz]

Yeah but it isn't safe from sheep. You really need to watch this documentary https://www.imdb.com/title/tt0... [imdb.com]

Re:

[thegarbz]

Not via the internet. It's been quite clear that infrastructure destruction hasn't been swift, and has been mostly manual. Despite the occasional stories when it has come to actual conflict, cyber warfare has played a minor part in actually achieving something in recent memory.

Re:

[spaceman375]

State sponsored hackers have been deep in our infrastructure for years, but they aren't tipping their hand yet. If they showed us what they can do we'd be more vigilant. If all the stuff they've planted went off at once it would be a real shit-storm.

solution

[goslackware]

If connected to the internet, wouldn't the below stop 99% of these issues:
Auth1: restrict connections by source IPv4 or IPv6 of the vendor (if vendor managed). The customer could add their own HQ IPv4 or IPv6 source addresses.
Auth2: require a legit client certificate when connecting to them that's signed by the vendor (if vendor managed). The customer could also add their own client cert from their internal CA.
Auth3: require username\password

Only if all 3 auth layers pass can you connect.

Re:

[PinkyGigglebrain]

If connected to the internet, wouldn't the below stop 99% of these issues:
Auth1: restrict connections by source IPv4 or IPv6 of the vendor (if vendor managed). The customer could add their own HQ IPv4 or IPv6 source addresses.
Auth2: require a legit client certificate when connecting to them that's signed by the vendor (if vendor managed). The customer could also add their own client cert from their internal CA.
Auth3: require username\password

missing layer;
Auth 0; have competent IT personnel on the staff to set up Auths 1 through 3

From experience I can say that Auth 0 is going to be the least likely to happen for most of these companies. That is why they have the coolers connected to the internet in the first place, no one local can actually set a thermostat to save their lives.

Stupidity is often painful

[couchslug]

Chillers do not need remote controls, They worked just fine before the internet.

People wanting such vulns should be fired and blacklisted for negligent thinking. If they work for anyone reading this, shitcan them because stupidity never gets better. Human problems are easily solved by removing the problem human.

Re:

[Tony Isaac]

No, not negligent at all.

A typical supermarket may have about 60 or so refrigerators and freezers. In that number, chances are pretty good that, on occasion, one of them will malfunction. Manually checking each one is labor-intensive. Many grocery stores employ teenagers or people with disabilities, providing them with much-needed money and self-respect. These people aren't necessarily the most adept at carefully monitoring dozens of machines.

As with anything a business does, it's cost/benefit. It costs les

Remote reporting is not remote control.

[couchslug]

Simple monitoring via internet would expose no controls and keep incompetents away from what they should not touch.

System malfunctions require repair techs like my bro who does exclusively commercial HVAC. (He makes nice bank from store owners who refuse to upgrade but willingly pay emergency rates again and again to avoid losing their stock. Wonderful job security in the hot southeast.) One cannot replace compressors over the internet.

Remote monitoring to ensure prompt tech dispatch would risk nothing.

Re:

[Tony Isaac]

I think you just agreed entirely with me.

Re:

[thegarbz]

Chillers do not need remote controls, They worked just fine before the internet.

And if the provided no benefit then people wouldn't pay extra to buy them. I suspect you don't know what the feature does or is used for and have never owned a commercial bank of chillers before. I think your ignorance trumps other people's alleged stupidity.

Re:

[Fly Swatter]

It's all so you can look on the blockchain where that specific tub of ice cream has been and the temperature history of every minute since manufacture.

/s





Really though, it's California's fault. They want to be able to raise the freezer temperature a few degrees close to 'safe levels' to use that energy when someone runs an AI query and the datacenters spin up to answer your question.

Was Lunduke right in this instance?

[satanicat]

Some time ago he did a talk on IoT, and how it will destroy us all...

https://www.youtube.com/watch?v=3HxPzutkNYw

I'm actually not sure if industrial equipment is the same thing as... you know... connecting your own refrigerator or toaster to the internet, but for some reason this story feels like a narrative fit.

don't forget to run security patches on your toasters people!

Re:

[wyHunter]

Security patches on the toasters? Did they have electronic toasters in 1960 :)?

in the future...

[ole_timer]

...there will be a machine that feeds everyone, a man, and a dog. the man's job is to feed the dog. the dog's job is to make sure the man never, ever touches the machine.