CVE-2025-27845 for Web Controller Firmware

Monday, March 17 2025

Resolved

Product

Espec North America Web controller.

Status

Resolved: Version 3.3.4+

Affected Versions

3.0.0 - 3.3.3

Problem

The JWT secret can be exposed in the error message when an attacker attempts to login to the system with bad credentials.

Once they have the JWT secrete they can generate valid JWT without the system being involved.

Resolution

All authentication error messages have been stripped of their stack trace.

The secret is now generated/re-generated on first boot/firmware update.

This has the side effect that all tokens generated before updating to or past 3.3.4 will be invalidated and the users must re-login to the system.

Mitigation

Update the firmware to 3.3.4 or newer.

Other Recent ESPEC News

Contact ESPEC:

The ESPEC Group

Copyright ESPEC NORTH AMERICA, INC.
This site does not collect Personally Identifiable Information (PII) or sell personal information to third parties
Terms of UsePrivacy Policy