CVE-2025-52548

E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker with admin access to the application services can utilize this API to enable remote access to the underlying OS.

CVSS

No CVSS.

References

Link	Resource
https://www.armis.com/research/frostbyte10/

Configurations

No configuration.

History

02 Sep 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-02 12:15

Updated : 2025-09-02 15:55

NVD link : CVE-2025-52548

Mitre link : CVE-2025-52548

CVE.ORG link : CVE-2025-52548

JSON object : View

Products Affected

No product.

CWE

CWE-1242

Inclusion of Undocumented Features or Chicken Bits

{"id": "CVE-2025-52548", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "dd59f033-460c-4b88-a075-d4d3fedb6191", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-09-02T12:15:37.393", "references": [{"url": "https://www.armis.com/research/frostbyte10/", "source": "dd59f033-460c-4b88-a075-d4d3fedb6191"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "dd59f033-460c-4b88-a075-d4d3fedb6191", "description": [{"lang": "en", "value": "CWE-1242"}]}], "descriptions": [{"lang": "en", "value": "E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker with admin access to the application services can utilize this API to enable remote access to the underlying OS."}], "lastModified": "2025-09-02T15:55:25.420", "sourceIdentifier": "dd59f033-460c-4b88-a075-d4d3fedb6191"}

CVE-2025-52548

JSON object

Attach tags to CVE-2025-52548

Attach tags to `CVE-2025-52548`