CVE-2026-27844
Received Received - Intake

Denial of Service in Gallagher Command Centre

Vulnerability report for CVE-2026-27844, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Gallagher Group Ltd.

Description

Uncaught Exception (CWE-248)Β in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to trigger a Controller restart by sending specific requests, resulting in a temporary denial of service.Β  Version of Command Centre affected: * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1)) * 9.40 prior to vCR9.40.260616a (distributed inΒ 9.40.3130(MR3)) * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5)) * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7)) * all versions of 9.10 and prior.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
gallagher command_centre to vCR9.50.260616a (exc)
gallagher command_centre to vCR9.40.260616a (exc)
gallagher command_centre to vCR9.30.260616a (exc)
gallagher command_centre to vCR9.20.260616a (exc)
gallagher command_centre to 9.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can cause a temporary denial of service by restarting the Controller when triggered. Although the operator must be authenticated and authorized to exploit it, the restart disrupts normal operations temporarily, potentially affecting system availability.

Executive Summary

CVE-2026-27844 is a low-severity vulnerability in Gallagher Command Centre versions prior to certain fixed releases. It affects the Controller 6000 and Controller 7000 diagnostic web interface, where an authenticated and authorized operator can send specific requests that cause the Controller to restart unexpectedly. This happens due to an uncaught exception (CWE-248) in the system.

Detection Guidance

This vulnerability involves an authenticated and authorized operator sending specific requests to the Controller 6000 and Controller 7000 diagnostic web interface to trigger a restart. Detection would involve monitoring for unusual or unauthorized requests to the diagnostic web interface that could cause a Controller restart.

Gallagher recommends keeping the diagnostic web page disabled by default unless explicitly enabled by technical support, which reduces exposure.

No specific detection commands or network signatures are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, Gallagher recommends the following immediate steps:

  • Ensure DIP switch 1 is turned off on all Controllers.
  • Disable the diagnostic web interface option in the Configuration Client.
  • Keep the diagnostic web page disabled by default unless explicitly enabled by Gallagher technical support.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27844. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart