CVE-2025-52546 is a medium-severity vulnerability affecting Copeland LP's E3 Supervisory Control system, specifically firmware versions prior to 2.31F01. The vulnerability arises from an unrestricted file upload flaw (CWE-434) in the floor plan feature of the system. This feature allows unauthenticated attackers to upload floor plan files without proper validation or restrictions on file types. By uploading a specially crafted floor plan file, an attacker can inject stored Cross-Site Scripting (XSS) payloads into the floor plan web page. Stored XSS occurs when malicious scripts are permanently stored on the target server and executed in the context of users accessing the affected page. In this case, the vulnerability does not require authentication, which significantly lowers the barrier for exploitation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but user interaction is required (UI:A), and low impact on confidentiality and integrity but no impact on availability. The vulnerability allows attackers to execute arbitrary JavaScript in the context of the victim's browser when viewing the floor plan page, potentially leading to session hijacking, credential theft, or further exploitation of the internal network if administrative users are targeted. Although no known exploits are currently in the wild, the vulnerability's presence in supervisory control firmware used in building management or industrial environments raises concerns about potential lateral movement or disruption if exploited. The lack of available patches at the time of publication means affected organizations must rely on mitigation strategies until updates are released.

For European organizations, especially those operating critical infrastructure or industrial control systems that utilize Copeland LP's E3 Supervisory Control, this vulnerability poses a risk of unauthorized access and compromise of supervisory control interfaces. Exploitation could lead to theft of sensitive operational data, manipulation of control interfaces, or use of the compromised system as a pivot point for broader network intrusion. The stored XSS could be leveraged to target facility managers or operators who access the floor plan web page, potentially enabling attackers to steal credentials or deploy further malware. Given the supervisory control context, any compromise could indirectly affect operational integrity and safety, although direct control system manipulation is not indicated by this vulnerability alone. The unauthenticated nature of the exploit increases risk, as attackers do not need valid credentials to attempt exploitation. European organizations with deployments in sectors such as manufacturing, building automation, or energy management should be particularly vigilant. The medium CVSS score reflects moderate risk, but the potential for cascading effects in critical environments elevates the importance of timely mitigation.

1. Immediate mitigation should include restricting network access to the E3 Supervisory Control web interface, ideally limiting it to trusted internal networks and VPN access only, to reduce exposure to unauthenticated attackers. 2. Implement web application firewalls (WAFs) with rules designed to detect and block malicious file uploads and XSS payloads targeting the floor plan upload functionality. 3. Monitor logs and network traffic for unusual upload activity or access patterns to the floor plan feature, enabling early detection of exploitation attempts. 4. Educate users and administrators about the risks of interacting with untrusted floor plan files and encourage cautious behavior when accessing the web interface. 5. Coordinate with Copeland LP for timely firmware updates or patches addressing this vulnerability and plan for prompt deployment once available. 6. Consider deploying Content Security Policy (CSP) headers on the web interface to mitigate the impact of XSS by restricting script execution sources. 7. If possible, disable the floor plan upload feature temporarily until a patch is applied or additional controls are in place.