CRITICAL🇵🇱 Wersja polska

CVE-2025-47699

CVSS 9.9v3.1pub. 2025-10-23upd. 2026-04-15

Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices. This issue affects Command Centre Server: 9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.

🤖 AI Analysis
How it works

An error classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) causes sensitive system information or management functions to be accessible outside the intended control sphere. An authenticated operator with only limited location-based permissions is able to exceed the scope of access granted to them and perform critical configuration operations on Morpho devices connected to the Command Centre system. The authorization mechanism does not properly enforce permission boundaries in the context of this integration.

Impact

An attacker can make unauthorized, critical changes to local Morpho biometric devices, which may lead to breach of confidentiality, integrity, and availability of the access control system — including potentially unauthorized granting or revocation of physical access.

Mitigation & patch

Gallagher Command Centre Server should be updated to the following versions containing fixes: vEL9.30.2482 (MR2) or newer for the 9.30 branch, vEL9.20.2819 (MR4) or newer for the 9.20 branch, vEL9.10.3672 (MR7) or newer for the 9.10 branch, vEL9.00.3831 (MR8) or newer for the 9.00 branch. For versions 8.90 and earlier, migration to a supported branch is recommended. Details are available in the vendor's guide at the address indicated in the references.

Who is affected

Gallagher Command Centre Server in versions: 9.30 before vEL9.30.2482 (MR2), 9.20 before vEL9.20.2819 (MR4), 9.10 before vEL9.10.3672 (MR7), 9.00 before vEL9.00.3831 (MR8), and all versions 8.90 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References