CVE-2025-48428
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-48428, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-23

Last updated on: 2025-10-27

Assigner: Gallagher Group Ltd.

Description

Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow an authenticated user with access to the Command Centre Server to export a specific signing key while in use allowing them to deploy a compromised or counterfeit device on that site. This issue affects Command Centre Server: 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-23
Last Modified
2025-10-27
Generated
2026-07-06
AI Q&A
2025-10-23
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
gallagher command_centre_server 9.20
gallagher command_centre_server 9.10
gallagher command_centre_server 8.90
gallagher command_centre_server 9.00

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the cleartext storage of sensitive information within the Gallagher Morpho integration of the Gallagher Command Centre Server. An authenticated user with high privileges on the server can export a specific signing key while it is in use. This key could then be used to deploy compromised or counterfeit devices on the affected site. [1]

Impact Analysis

If exploited, this vulnerability could allow a privileged authenticated user to export a signing key and use it to deploy compromised or counterfeit devices on the site. This could lead to unauthorized access or control over physical security systems, potentially compromising site security. [1]

Mitigation Strategies

Mitigation involves following all applicable guidance in the Command Centre hardening guide to secure the environment. Ensure that you update the Gallagher Command Centre Server to a fixed version: vEL9.20.2819 (MR4) or later for 9.20, vEL9.10.3672 (MR7) or later for 9.10, and vEL9.00.3831 (MR8) or later for 9.00. Restrict access to the Command Centre Server to only trusted, authenticated users with high privileges and monitor usage of the Gallagher Morpho integration to prevent unauthorized exportation of signing keys. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-48428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart