A critical vulnerability has been identified in the In ESPEC North America Web Controller, allowing unauthenticated attackers to gain complete control of the system. The flaw exposes a critical security key when an invalid login attempt is made, which an attacker can use to grant themselves administrator-level permissions. This could lead to unauthorized manipulation of environmental test chambers, data theft, and potential damage to equipment and products under test.

The vulnerability exists within the authentication API endpoint (/api/v4/auth/). When an attacker sends any malformed or invalid authentication request to this endpoint, the server's error response improperly includes the JSON Web Token (JWT) secret key. An attacker can capture this exposed secret and use it to sign their own maliciously crafted JWTs, granting themselves arbitrary permissions, including administrative access to the web user interface. This effectively bypasses all authentication and authorization controls on the device.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation by an unauthenticated remote attacker could have severe consequences for the organization. Attackers could gain full administrative control over environmental test chambers, allowing them to alter test parameters, sabotage research and development efforts, or destroy sensitive products. This poses a significant risk to operational continuity, data integrity, and intellectual property. Given that these controllers are often part of critical manufacturing or research workflows, the potential for financial loss and reputational damage is substantial.

Immediate Action: Organizations must immediately upgrade all vulnerable instances of In ESPEC North America Web Controller to version 3.3.4 or later, as recommended by the vendor. After patching, review access logs for any connections to the /api/v4/auth/ endpoint that resulted in an error, followed by successful administrative access from an unrecognized source.

Proactive Monitoring: Implement continuous monitoring of network traffic to and from the web controller. Specifically, create alerts for multiple failed authentication attempts against the /api/v4/auth/ endpoint from a single IP address. Monitor system logs for unauthorized configuration changes, user account creation, or logins occurring outside of normal business hours.

Compensating Controls: If immediate patching is not feasible, restrict network access to the web controller's management interface to a dedicated, trusted network segment. Use a firewall or network access control list (ACL) to block all access from untrusted sources. Consider deploying a Web Application Firewall (WAF) with rules to inspect and block malicious requests targeting the vulnerable API endpoint.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of complete system compromise from an unauthenticated attacker, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patch to all affected systems. While this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion. If patching cannot be performed immediately, implement the compensating controls of network segmentation and access restriction without delay to reduce the attack surface.