CVE-2026-27790
Received Received - Intake

Denial of Service in Gallagher Command Centre

Vulnerability report for CVE-2026-27790, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Gallagher Group Ltd.

Description

Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected: * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1)) * 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3)) * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5)) * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7)) * all versions of 9.10 and prior.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
gallagher command_centre to 9.50.260616a (exc)
gallagher command_centre to 9.40.260616a (exc)
gallagher command_centre to 9.30.260616a (exc)
gallagher command_centre to 9.20.260616a (exc)
gallagher command_centre to 9.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-27790 is a low-severity vulnerability in Gallagher Command Centre affecting versions prior to specific patches. It involves an uncaught exception (CWE-248) in the T20 Readers component. An authenticated and authorized operator can send specific requests that trigger a restart of the system, resulting in a temporary denial of service.

The vulnerability arises because the diagnostic web interface can be exploited to cause this restart if certain settings are enabled. Gallagher recommends keeping the diagnostic web page disabled by default unless explicitly enabled by their support team.

Mitigation Strategies
  • Ensure DIP switch 1 is turned off on all Controllers.
  • Verify that the "Dipswitch 1 controls the diagnostic web interface" option is unchecked in the Configuration Client.
  • Avoid using the Controller override "Enable WWW Connections."

Keep the diagnostic web page disabled by default unless explicitly enabled by Gallagher support.

Impact Analysis

This vulnerability can cause a temporary denial of service by allowing an authenticated and authorized operator to trigger a system restart through specific requests. This means that the affected Gallagher Command Centre system may become temporarily unavailable, potentially disrupting operations that rely on it.

However, the impact is limited as it requires authenticated access with authorization, and the severity is rated low (CVSS 2.7). Gallagher has not reported any active exploitation of this vulnerability.

Detection Guidance

This vulnerability involves an uncaught exception in T20 Readers triggered by specific requests from an authenticated and authorized operator, causing a restart and temporary denial of service.

Detection can focus on monitoring for unexpected restarts or denial of service events related to T20 Readers within Gallagher Command Centre versions prior to the specified patches.

Gallagher recommends keeping the diagnostic web page disabled by default unless explicitly enabled by support, so checking if the diagnostic web interface is enabled could help detect potential exposure.

Specific commands are not provided in the available resources.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27790. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart