CVE-2025-6519 in E3 Supervisory Control
Summary
by MITRE • 09/02/2025
E3 Site Supervisor (firmware version < 2.31F01) has a default admin user "ONEDAY" with a daily generated password. An attacker can predictably generate the password for ONEDAY. The oneday user cannot be deleted or modified by any user.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/10/2025
This vulnerability exists within the E3 Site Supervisor firmware versions prior to 2.31F01 where a default administrative account named "ONEDAY" is configured with a password that can be predictably generated by attackers. The security flaw stems from the implementation of a daily generated password mechanism that lacks sufficient entropy and cryptographic randomness, allowing malicious actors to calculate or brute force the temporary administrative credentials. This represents a critical weakness in the device's authentication framework that directly violates security best practices and industry standards such as those outlined in CWE-259 and CWE-798, which address weak password management and hardcoded credentials respectively.
The operational impact of this vulnerability is severe as it provides persistent unauthorized access to the device's administrative functions. Attackers who successfully predict the ONEDAY password gain full control over the E3 Site Supervisor system, enabling them to modify configurations, access sensitive data, disable security features, and potentially establish persistent backdoors. This vulnerability particularly affects industrial control systems and network infrastructure deployments where E3 Site Supervisor devices are commonly implemented. The inability to delete or modify the ONEDAY user account further compounds the risk by preventing legitimate administrators from remediating the issue through account management, creating a permanent security weakness that persists across device reboots and system updates.
The attack surface for this vulnerability aligns with several MITRE ATT&CK techniques including credential access through brute force or credential prediction, privilege escalation via default credentials, and persistence mechanisms. Security professionals should consider this vulnerability in the context of lateral movement strategies where attackers use default credentials to gain initial access to network segments. Organizations implementing the E3 Site Supervisor should prioritize immediate firmware updates to version 2.31F01 or later, which addresses this weakness through proper password generation mechanisms and account management controls. Additionally, network segmentation and monitoring should be implemented to detect unauthorized access attempts, while regular security assessments should verify the absence of similar default credential configurations in other networked devices. The vulnerability demonstrates the critical importance of secure default configurations and proper authentication mechanisms as outlined in NIST SP 800-125 and ISO/IEC 27001 security frameworks.