Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
SQL Injection affecting the Access Manager role.
AnalysisAI
SQL injection in Genetec Security Center's Access Manager role enables a remote attacker with high privileges to achieve full confidentiality, integrity, and availability impact against the underlying database. The vulnerability spans multiple major release branches (5.9 through 5.13) of this widely deployed physical security management platform, covering access control, video surveillance, and license plate recognition environments. Vendor-released patches are confirmed available for the 5.12 and 5.13 branches; no public exploit has been identified at time of analysis and SSVC assessment confirms no current exploitation activity.
Technical ContextAI
CWE-89 (SQL Injection) describes a root cause where user-supplied input is incorporated into SQL query construction without adequate parameterization or sanitization, allowing an attacker to manipulate query logic and interact directly with the database engine. The affected product, Genetec Security Center (CPE: cpe:2.3:a:genetec_inc.:genetec_security_center), is an enterprise-grade unified physical security platform. The Access Manager role within Security Center is specifically responsible for governing physical access control operations - door controllers, cardholder permissions, credential management - meaning the injectable input likely originates from an administrative or configuration interface tied to that role. The network-accessible (AV:N) attack vector with high privilege requirement (PR:H) and high complexity (AC:H) indicates the injection point resides within an authenticated management interface rather than a public-facing or unauthenticated endpoint, and that additional non-trivial conditions beyond authentication must be satisfied for exploitation.
RemediationAI
The primary remediation is upgrading to Genetec Security Center 5.12.2.17 for deployments on the 5.12.x branch, or to 5.13.3.5 for deployments on the 5.13.x branch, as confirmed by Genetec's official security update documentation. Organizations running versions 5.9.x (at or below 5.9.5.11), 5.10.x (at or below 5.10.4.31), or 5.11.x (at or below 5.11.3.28) should upgrade to a supported and patched branch (5.12.2.17 or 5.13.3.5), as no specific patch versions for those legacy branches are identified in available data - contact Genetec support to confirm upgrade paths. Where immediate upgrade is not operationally feasible, restrict Access Manager role assignment to the absolute minimum set of accounts required, enforcing least-privilege principles across all administrative roles; this does not eliminate the vulnerability but reduces the pool of potential exploiters to only those with verified operational need. Additionally, restrict network access to the Security Center management interface to trusted administrative subnets or VPN-only access, reducing the network-accessible (AV:N) exposure surface. Note that these compensating controls have operational trade-offs: role restriction may impact legitimate administrative workflows, and network segmentation requires accurate inventory of management interface addresses.
More in Genetec Security Center
View allLocal credential exposure in Genetec Security Center main server installations allows an attacker with local OS privileg
Unauthenticated video stream access in Genetec Security Center 5.14.0.0 (builds prior to 5.14.178.18) lets remote attack
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31705
GHSA-mv5j-97vv-6978