Command Centre Server
Monthly
Incorrect privilege assignment in Gallagher Command Centre Server permits an authenticated low-privilege operator to execute operations restricted to higher-privilege roles, enabling unauthorized integrity impacts on physical security configurations. Affected versions span the 9.10 through 9.50 release lines, with patches available for 9.20-9.50 but no fix for the fully end-of-support 9.10 branch. No public exploit code exists and this vulnerability is not listed in CISA KEV; it was disclosed directly by the vendor Gallagher.
Credential exposure in Gallagher Command Centre Service installers writes Service Account credentials into installer log files under %programdata%\Gallagher\Command Centre, allowing a local low-privileged user who can read those logs to recover the configured Service Account password. The flaw (CWE-532) affects a broad set of Gallagher Command Centre components including Command Centre Server, Active Directory Sync, Entra ID Sync, Elevator Service, Middleware Framework and others, but only when the operator deviated from the default Network Service account during install. There is no public exploit identified at time of analysis and EPSS is 0.01%, but a successful read yields high-impact credential compromise of a privileged service identity.
Incorrect privilege assignment in Gallagher Command Centre Server permits an authenticated low-privilege operator to execute operations restricted to higher-privilege roles, enabling unauthorized integrity impacts on physical security configurations. Affected versions span the 9.10 through 9.50 release lines, with patches available for 9.20-9.50 but no fix for the fully end-of-support 9.10 branch. No public exploit code exists and this vulnerability is not listed in CISA KEV; it was disclosed directly by the vendor Gallagher.
Credential exposure in Gallagher Command Centre Service installers writes Service Account credentials into installer log files under %programdata%\Gallagher\Command Centre, allowing a local low-privileged user who can read those logs to recover the configured Service Account password. The flaw (CWE-532) affects a broad set of Gallagher Command Centre components including Command Centre Server, Active Directory Sync, Entra ID Sync, Elevator Service, Middleware Framework and others, but only when the operator deviated from the default Network Service account during install. There is no public exploit identified at time of analysis and EPSS is 0.01%, but a successful read yields high-impact credential compromise of a privileged service identity.