Securing CPS: How Armis and Copeland Worked Together to Address E2 and E3 Controller Vulnerabilities

In Uncovering 10 Vulnerabilities Armis Labs Demonstrated How Responsible Disclosure, Deep Technical Expertise, and Collaborative Remediation Protect Not Just Devices but the Industries and Public That Rely on Them

At Armis Labs, our mission is clear: uncover the unseen threats targeting mission-critical systems and enable the world’s enterprises to defend against them before adversaries can exploit them.

Today, we are disclosing ten vulnerabilities that were found in Copeland’s E2 and E3 controllers¹ devices, widely deployed across global enterprises for managing HVAC, BMS and commercial refrigeration systems in industries including food retail, pharmaceuticals, and cold chain logistics.

These vulnerabilities, discovered by Armis Labs, posed a range of risks to operational technology environments, potentially allowing unauthorized actors to gain root access and manipulate refrigeration parameters, disable systems, gain full remote code execution or access sensitive operational data. Armis alerted Copeland as to these findings upon discovery. After a comprehensive and collaborative process, Copeland has taken definitive steps to mitigate these issues in the E2 and E3 controller product line.

From Discovery to Protection

Armis Labs’ review of the Copeland E2 and E3 devices identified certain security vulnerabilities. Chief among them was the devices’ use of an unauthenticated proprietary protocol, which permitted sensitive operations without any form of identity verification or encryption. These are not just coding oversights; they represent structural risks that can persist in OT environments for years.

Our process goes far beyond technical analysis. Upon discovery, Armis Labs:

1. Assessed live deployments of both controllers to determine real-world exposure.
2. Engaged directly with Copeland, ensuring findings were addressed rapidly and comprehensively.
3. Coordinated with regulatory bodies to align mitigation efforts with industry best practices.
4. Provided early warning to the broader OT and critical infrastructure community to limit exploitation risk.

By treating disclosure as a collaborative, transparent process, not a one-time announcement, we were able to reduce the attack surface before these vulnerabilities could be weaponized.

The Importance of Early Warning and Responsible Disclosure

Responsible vulnerability disclosure is not just a technical process, it is also a moral imperative. At Armis Labs, we believe transparency and collaboration are essential to a safer digital and physical world. By working with Copeland and disclosing these vulnerabilities in coordination with the appropriate parties, we aimed to provide an early warning signal to the industry and help reduce the attack surface before these issues are exploited in the wild.

This is a model we advocate for across all industries: security must be built in from the start, reinforced through continuous assessment, and supported by a community of vendors, researchers, and regulators committed to protecting both physical and virtual assets.

Security Is a Shared Responsibility

The security of mission-critical infrastructure cannot rest solely on the shoulders of end users. Manufacturers must treat cybersecurity as a foundational element of product design. Security researchers, vendors, and OEMs must work together proactively and transparently to protect the digital and physical systems that underpin modern life.

This vulnerability disclosure can be used as a case study of how a manufacturer and Armis collaborated together from discovery through mitigation. It further demonstrates  the necessity of building secure-by-design systems, particularly for devices operating in OT and ICS environments where patching is often complex and delayed.

Why Armis? Proactive Security Starts with Intelligence

Armis’s Broader Value in Vulnerability Research

What sets Armis apart isn’t just our ability to find zero-day vulnerabilities. It’s the ability to:

• Understand real-world risk by correlating asset intelligence with live operational data.
• Prioritize and contextualize vulnerabilities so remediation focuses on what matters most.
• Turn intelligence into action by equipping organizations to proactively defend against evolving threats.

Armis is the leader in asset intelligence and threat detection for operational environments. Our threat research team has a proven track record of identifying high-impact vulnerabilities and bringing them to light before they are weaponized by threat actors. Organizations that rely on Armis gain access to the most advanced threat intelligence, enabling proactive security that allows them to stay ahead of attackers.

Moving Forward

Today’s disclosure serves as a stark reminder of the risk embedded in legacy systems that were never designed with modern cyber threats in mind. As enterprises continue to digitize and interconnect operational assets, security must be an integral part of the conversation, at every stage.

At Armis, we remain committed to leading that conversation with research, action, and collaboration. We urge organizations using Copeland E2 and E3 controllers to assess their exposure and adopt Copeland’s mitigation patch(es) immediately. For further guidance, reach out to the Armis threat research team or your account representative.

For a detailed technical breakdown of the 10 vulnerabilities and recommended mitigations, read our executive summary.

Looking for real-time context, prioritization, and actionable insights tailored to your specific industry and threat levels? Make sure to check out our Armis Vulnerability Intelligence Database.

¹ The E2 Facility Management System has long been considered a standard in the industry, known for its reliability and comprehensive control over building and refrigeration systems, including compressor groups, condensers, walk-in units, HVAC units, and lighting . Technicians have praised the E2 system for its durability and ease of use, noting its widespread presence in the field.

Introduced in 2021, the E3 Supervisory Control is designed as a direct upgrade to the E2 system, offering enhanced features such as a built-in 10-inch touchscreen display, faster processing power, increased memory, and remote accessibility via web browsers or mobile devices . The E3 controller has been gaining popularity among original equipment manufacturers (OEMs), contractors, and service technicians for its modern interface and improved capabilities.