CVE-2025-27846 for Web Controller Firmware

Monday, March 17 2025

Will be resolved

Product

Espec North America Web controller.

Status

• GRUG Password: Resolved
  Version 3.3.8+
• BIOS Password: Manual Intervention Required
  See Mitigations

Affected Versions

• GRUG Password: 3.3.0 - 3.3.7
• BIOS Password: All

Problem

Physical access required.

• GRUB Password:
  No GRUB password has been set, an attacker with physical access can make alterations to GRUB configuration and boot parameters.
• BIOS Password:
  No BIOS password has been set, an attacker with physical access can make alterations to the BIOS. By booting from USB media the firmware partition(s) could be mounted and altered. Firmware Updates will undo any alterations made the the firmware partition(s)

Resolution

• GRUB Password:
  A GRUB Password has been set.
• BIOS Password:
  Manual mitigation required, see Mitigation Section.

Mitigation

• GRUB Password:
  Update the firmware to 3.3.8 or newer.
• BIOS Password:
  A BIOS password may manually be applied.
  This password must be entered to boot the system.
  Physical access control may be much more convenient.
  • Connect an HDMI or Displayport monitor, and a USB keyboard.
  • Cycle (or apply) power to the system
  • Press the [DELETE] key repeatedly, until a password prompt appears
  • Press the [ENTER] key (no password)
  • Press the [RIGHT ARROW] key 3 times to navigate to the "Security" tab
  • Press the [ENTER] key on "User Password"
  • Type the desired password, then press [ENTER] twice
  • Press the [F4] key to save and exit the BIOS
  This password must be entered to boot the system after every power cycle.