CVE-2025-27450 is a medium severity vulnerability affecting the Endress+Hauser MEAC300-FNADE4 device, identified as CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. The issue arises because multiple cookies, including the PHPSESSID session cookie, are set without the Secure attribute. This attribute instructs browsers to only send the cookie over encrypted HTTPS connections. Without it, an attacker can trick a user into connecting to the device via an unencrypted HTTP session, causing the browser to transmit the session cookie in cleartext. This exposes the session identifier to interception by network attackers performing man-in-the-middle (MITM) attacks or eavesdropping on unsecured networks. The vulnerability does not require authentication and has a CVSS 3.1 base score of 6.5, reflecting a network attack vector with low complexity and no privileges required, but requiring user interaction (such as clicking a malicious link). The impact is primarily on confidentiality, as session cookies can be stolen, potentially allowing session hijacking or unauthorized access to the device's web interface. However, integrity and availability are not directly affected. No known exploits are currently reported in the wild, and no patches have been published yet. The affected product is an industrial device from Endress+Hauser, likely used in process automation and instrumentation environments.

For European organizations, particularly those in industrial sectors such as manufacturing, utilities, and process automation, this vulnerability poses a risk of unauthorized access to critical control devices. The MEAC300-FNADE4 is likely deployed in operational technology (OT) environments where confidentiality breaches can lead to exposure of sensitive operational data or unauthorized control commands. An attacker intercepting session cookies could impersonate legitimate users, potentially disrupting monitoring or control functions indirectly. While the vulnerability does not directly enable command injection or denial of service, session hijacking in industrial control systems can have cascading effects on operational integrity and safety. European organizations with remote or web-accessible interfaces to such devices are at higher risk, especially if users access the device over insecure networks or if internal network segmentation is weak. The absence of the Secure cookie attribute also indicates potential gaps in secure development practices, which may reflect broader security posture concerns.

To mitigate this vulnerability, organizations should prioritize the following actions: 1) Apply vendor patches or firmware updates once available to ensure cookies are set with the Secure attribute, enforcing HTTPS-only transmission. 2) Enforce strict HTTPS usage by disabling HTTP access to the device’s web interface, including redirecting HTTP requests to HTTPS and using HSTS (HTTP Strict Transport Security) headers. 3) Implement network-level controls such as firewall rules and segmentation to restrict access to the MEAC300-FNADE4 device only to trusted hosts and networks, minimizing exposure to untrusted or public networks. 4) Educate users to avoid accessing the device over unsecured or public Wi-Fi networks and to verify HTTPS connections before entering credentials or interacting with the device. 5) Monitor network traffic for signs of session hijacking attempts or unusual access patterns. 6) Consider deploying web application firewalls (WAFs) or intrusion detection systems (IDS) that can detect anomalous HTTP traffic or cookie misuse. 7) Review and enhance overall OT security policies to include secure cookie handling and session management best practices.