On Ercom Cryptobox platforms that enforce entity-based administrator segregation, a flaw in the administration console permits an authenticated entity administrator who has knowledge of a specific vulnerability to raise their own privileges to that of a global administrator. This allows the attacker to gain unrestricted access to all system resources, potentially leading to full control of the infrastructure. The weakness is associated with improper privilege and access controls (CWE‑1220) and is also coupled with an input validation weakness that could enable cross‑site scripting (CWE‑79).

The affected product is the Ercom Cryptobox platform used in environments employing entity‑level administrator segregation. The exact version(s) impacted are not enumerated in the advisory, but the remedy specifies an upgrade to version 4.40.x, implying that prior releases are vulnerable.

The CVSS score of 4.8 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploit Vulnerabilities catalog, indicating no publicly known exploits. The likely attack vector requires an authenticated entity administrator who has privileged knowledge of the console to abuse the flaw; no remote code execution or unauthenticated access is required. Overall, the risk to an organization with a permissive entity administrator role is significant because elevation removes controls and could compromise the entire system. However, the exploitability is constrained by the need for prior authentication and the specialized knowledge of the console.