In ESPEC North America Web Controller 3 before 3.3.8, an attacker with physical access can gain elevated privileges because GRUB and the BIOS are unprotected.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.