CVE-2025-27847 is a medium-severity vulnerability affecting ESPEC North America Web Controller version 3 prior to 3.3.8. The vulnerability arises because the system fails to revoke user session privileges upon logout via the /api/v4/auth/ endpoint. This means that even after a user logs out, their session privileges remain active, potentially allowing unauthorized access or privilege escalation if an attacker can reuse or hijack the session token or session context. The vulnerability is classified under CWE-269, which relates to improper privilege management. The CVSS 3.1 base score is 4.3, reflecting a low attack vector (physical or local access), low complexity, no privileges required, no user interaction, and impacts confidentiality, integrity, and availability at a low level. The vulnerability does not require authentication or user interaction to exploit, but the attack vector is physical or local, limiting remote exploitation. No known exploits are reported in the wild, and no patches are currently linked, indicating that remediation may require updating to version 3.3.8 or later once available. The issue could allow an attacker with local access or physical access to the device to maintain or reuse session privileges after logout, potentially leading to unauthorized actions or data exposure within the controller environment.

For European organizations using ESPEC North America Web Controller devices, this vulnerability could lead to unauthorized access to critical control systems if an attacker gains local or physical access to the device. This is particularly concerning for industrial or manufacturing sectors where such controllers manage operational technology (OT) environments. The persistence of session privileges post-logout could allow attackers to bypass intended session termination controls, leading to potential data leakage, unauthorized command execution, or disruption of operational processes. Although remote exploitation is unlikely, insider threats or attackers with physical proximity could exploit this flaw. The impact on confidentiality, integrity, and availability is low to medium but could be amplified in environments where these controllers interface with critical infrastructure or sensitive production data. European organizations with strict regulatory requirements around data protection and operational security may face compliance risks if this vulnerability is not addressed.

To mitigate this vulnerability, European organizations should prioritize upgrading ESPEC North America Web Controller software to version 3.3.8 or later once the patch is officially released. Until then, organizations should implement strict physical security controls to prevent unauthorized local access to the devices. Session management policies should be reviewed and enhanced to ensure sessions are properly invalidated on logout. Network segmentation can limit access to the controllers to trusted personnel only. Additionally, monitoring and logging of session activities should be increased to detect any anomalous reuse of session privileges. If possible, temporarily disabling remote access or restricting API endpoint access to trusted IP addresses can reduce exposure. Organizations should also conduct regular security audits of their OT environments to identify and remediate similar session management issues.