Armis Labs has disclosed ten cybersecurity vulnerabilities in Copeland’s E2 and E3 controllers, widely used in HVAC, building management, and commercial refrigeration systems across industries such as food retail, pharmaceuticals, and cold chain logistics.
The flaws, discovered during a technical analysis by Armis Labs, included the use of an unauthenticated proprietary protocol allowing sensitive operations without encryption or identity verification. These vulnerabilities could potentially enable unauthorized access, remote code execution, system manipulation, and data exposure in operational technology (OT) environments.
Armis notified Copeland upon discovery, initiating a coordinated remediation process. Copeland has since released mitigation measures for the affected controllers.
The E2 Facility Management System is a long-standing solution used to control HVAC units, walk-in coolers, compressor groups, and lighting systems. The E3 Supervisory Control, launched in 2021 as an upgrade, offers enhanced processing capabilities, a built-in touchscreen, and remote access features.
“By working with Copeland and disclosing these vulnerabilities in coordination with the appropriate parties, we aimed to provide an early warning signal to the industry and help reduce the attack surface,” Armis Labs stated.
Armis urges users of Copeland E2 and E3 controllers to assess their systems and apply the recommended patches.
