At least 8 vulnerabilities have been discovered in Carrier’s LenelS2 HID Mercury access control system; The system is prevalent in healthcare, education, transportation and government sector.
“The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems,” Trellix security researchers Steve Povolny and Sam Quinn said in a report shared with The Hacker News.
Attackers can weaponize the flaws to take over the system, which means they can manipulate door locks. An unauthenticated remote execution flaw that scores 10 out of 10 for severity on the CVSS scoring system has been identified.
Other shortcomings could lead to command injection (CVE-2022-31479, CVE-2022-31486), denial-of-service (CVE-2022-31480, CVE-2022-31482), user modification (CVE-2022-31484), and information spoofing (CVE-2022-31485) as well as achieve arbitrary file write (CVE-2022-31483).
Coinciding with the public disclosure is an industrial control systems (ICS) advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urging users to update the access panels to the latest firmware version (CARR-PSA-006-0622).
“Successful exploitation of these vulnerabilities could allow an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition,” the agency said in an alert.