CVE-2025-48428
BaseFortify
Publication date: 2025-10-23
Last updated on: 2025-10-27
Assigner: Gallagher Group Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gallagher | command_centre_server | 9.20 |
| gallagher | command_centre_server | 9.10 |
| gallagher | command_centre_server | 8.90 |
| gallagher | command_centre_server | 9.00 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the cleartext storage of sensitive information within the Gallagher Morpho integration of the Gallagher Command Centre Server. An authenticated user with high privileges on the server can export a specific signing key while it is in use. This key could then be used to deploy compromised or counterfeit devices on the affected site. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability could allow a privileged authenticated user to export a signing key and use it to deploy compromised or counterfeit devices on the site. This could lead to unauthorized access or control over physical security systems, potentially compromising site security. [1]
What immediate steps should I take to mitigate this vulnerability?
Mitigation involves following all applicable guidance in the Command Centre hardening guide to secure the environment. Ensure that you update the Gallagher Command Centre Server to a fixed version: vEL9.20.2819 (MR4) or later for 9.20, vEL9.10.3672 (MR7) or later for 9.10, and vEL9.00.3831 (MR8) or later for 9.00. Restrict access to the Command Centre Server to only trusted, authenticated users with high privileges and monitor usage of the Gallagher Morpho integration to prevent unauthorized exportation of signing keys. [1]