Skip to main content

Genetec Security Center CVE-2026-27768

| EUVDEUVD-2026-31705 MEDIUM
SQL Injection (CWE-89)
2026-05-25 Genetec GHSA-mv5j-97vv-6978
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:09 vuln.today
Patch available
May 26, 2026 - 14:16 EUVD

DescriptionCVE.org

SQL Injection affecting the Access Manager role.

AnalysisAI

SQL injection in Genetec Security Center's Access Manager role enables a remote attacker with high privileges to achieve full confidentiality, integrity, and availability impact against the underlying database. The vulnerability spans multiple major release branches (5.9 through 5.13) of this widely deployed physical security management platform, covering access control, video surveillance, and license plate recognition environments. Vendor-released patches are confirmed available for the 5.12 and 5.13 branches; no public exploit has been identified at time of analysis and SSVC assessment confirms no current exploitation activity.

Technical ContextAI

CWE-89 (SQL Injection) describes a root cause where user-supplied input is incorporated into SQL query construction without adequate parameterization or sanitization, allowing an attacker to manipulate query logic and interact directly with the database engine. The affected product, Genetec Security Center (CPE: cpe:2.3:a:genetec_inc.:genetec_security_center), is an enterprise-grade unified physical security platform. The Access Manager role within Security Center is specifically responsible for governing physical access control operations - door controllers, cardholder permissions, credential management - meaning the injectable input likely originates from an administrative or configuration interface tied to that role. The network-accessible (AV:N) attack vector with high privilege requirement (PR:H) and high complexity (AC:H) indicates the injection point resides within an authenticated management interface rather than a public-facing or unauthenticated endpoint, and that additional non-trivial conditions beyond authentication must be satisfied for exploitation.

RemediationAI

The primary remediation is upgrading to Genetec Security Center 5.12.2.17 for deployments on the 5.12.x branch, or to 5.13.3.5 for deployments on the 5.13.x branch, as confirmed by Genetec's official security update documentation. Organizations running versions 5.9.x (at or below 5.9.5.11), 5.10.x (at or below 5.10.4.31), or 5.11.x (at or below 5.11.3.28) should upgrade to a supported and patched branch (5.12.2.17 or 5.13.3.5), as no specific patch versions for those legacy branches are identified in available data - contact Genetec support to confirm upgrade paths. Where immediate upgrade is not operationally feasible, restrict Access Manager role assignment to the absolute minimum set of accounts required, enforcing least-privilege principles across all administrative roles; this does not eliminate the vulnerability but reduces the pool of potential exploiters to only those with verified operational need. Additionally, restrict network access to the Security Center management interface to trusted administrative subnets or VPN-only access, reducing the network-accessible (AV:N) exposure surface. Note that these compensating controls have operational trade-offs: role restriction may impact legitimate administrative workflows, and network segmentation requires accurate inventory of management interface addresses.

Share

CVE-2026-27768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy