CVE-2025-27845
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-15
Assigner: MITRE
Description
Description
In ESPEC North America Web Controller 3 before 3.3.4, /api/v4/auth/ with any invalid authentication request results in exposing a JWT secret. This allows for elevated permissions to the UI.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espec | north_america_web_controller | 3.3.4 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In ESPEC North America Web Controller versions before 3.3.4, sending any invalid authentication request to the /api/v4/auth/ endpoint causes the system to expose a JWT secret. This secret can then be used to gain elevated permissions in the user interface.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to obtain the JWT secret, which can be used to escalate privileges and gain unauthorized access to the web controller's user interface, potentially leading to unauthorized control or data exposure.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70