Gallagher Command Centre Server vulnerabilities
15 known vulnerabilities affecting gallagher/command_centre_server.
Total CVEs
15
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4MEDIUM9LOW1
Vulnerabilities
Page 1 of 1
CVE-2025-47699P2CRITICALCVSS 9.9≤ 8.90≥ 9.30, < 9.30.2482 (MR2)+3 more2025-10-23
CVE-2025-47699 [CRITICAL] CWE-497 CVE-2025-47699: Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallaghe
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices.
This issue affects Command Centre Server:
9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4)
nvd
CVE-2024-41724P3HIGHCVSS 8.7fixed in 9.20.10432025-03-10
CVE-2024-41724 [HIGH] CWE-295 CVE-2024-41724: Improper Certificate Validation (CWE-295) in the Gallagher Command Centre SALTO integration allowed
Improper Certificate Validation (CWE-295) in the Gallagher Command Centre SALTO integration allowed an attacker to spoof the SALTO server.
This issue affects all versions of Gallagher Command Centre prior to 9.20.1043.
nvd
CVE-2024-42407P3HIGHCVSS 8.5≤ 8.80≥ 9.10, < 9.10.2149 (MR4)+2 more2024-12-12
CVE-2024-42407 [HIGH] CWE-532 CVE-2024-42407: Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Tra
Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access.
This issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90
nvd
CVE-2024-43690P3HIGHCVSS 8.0≤ 8.70≥ 9.10, < vEL9.10.1530(MR2)+3 more2024-09-11
CVE-2024-43690 [HIGH] CWE-829 CVE-2024-43690: Inclusion of Functionality from Untrusted Control Sphere(CWE-829) in the Command Centre Server and W
Inclusion of Functionality from Untrusted Control Sphere(CWE-829) in the Command Centre Server and Workstations may allow an attacker to perform Remote Code Execution (RCE).
This issue affects: Command Centre Server and Command Centre Workstations 9.10 prior to vEL9.10.1530 (MR2), 9.00 prior to vEL9.00.2168 (MR4), 8.90 prior to vEL8.90.2155 (MR5), 8.
nvd
CVE-2026-25193P3HIGHCVSS 8.1≥ 9.40, < 9.40.2575 (MR2)2026-05-25
CVE-2026-25193 [HIGH] CWE-532 CVE-2026-25193: Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers
Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure.
Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted.
Mitigation: For sites concerned ab
cvelistv5nvd
CVE-2024-21815P3MEDIUMCVSS 6.5≤ 8.60≥ 9.00, < vEL9.00.1774 (MR2)+3 more2024-03-05
CVE-2024-21815 [MEDIUM] CWE-522 CVE-2024-21815: Insufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Cent
Insufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users.
This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all v
nvd
CVE-2025-48428P4MEDIUMCVSS 6.7≤ 8.90≥ 9.20, < 9.20.2819 (MR4)+2 more2025-10-23
CVE-2025-48428 [MEDIUM] CWE-312 CVE-2025-48428: Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow
Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow an authenticated user with access to the Command Centre Server to export a specific signing key while in use allowing them to deploy a compromised or counterfeit device on that site.
This issue affects Command Centre Server: 9.20 prior to vEL9.20.281
nvd
CVE-2025-41402P4MEDIUMCVSS 5.5≤ 9.00≥ 9.30, < 9.30.2482 (MR2)+2 more2025-10-23
CVE-2025-41402 [MEDIUM] CWE-602 CVE-2025-41402: Client-Side Enforcement of Server-Side Security (CWE-602) in the Command Centre Server allows a priv
Client-Side Enforcement of Server-Side Security (CWE-602) in the Command Centre Server allows a privileged operator to enter invalid competency data, bypassing expiry checks.
This issue affects Command Centre Server:
9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), all versions of 9.00 and prior
nvd
CVE-2025-35981P4MEDIUMCVSS 5.5v9.30.1874 (MR1)v9.20.2337 (MR3)+1 more2025-10-23
CVE-2025-35981 [MEDIUM] CWE-359 CVE-2025-35981: Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) in the Command Centre Se
Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) in the Command Centre Server allows a privileged Operator to view limited personal data about a Cardholder they would not normally have permissions to view.
This issue affects Command Centre Server: 9.30.1874 (MR1), 9.20.2337 (MR3), 9.10.3194 (MR6).
nvd
CVE-2024-21838P4MEDIUMCVSS 5.4≤ 8.60≥ 9.00, < vEL9.00.1774 (MR2)+3 more2024-03-05
CVE-2024-21838 [MEDIUM] CWE-74 CVE-2024-21838: Improper neutralization of special elements in output (CWE-74) used by the email generation feature
Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre.
This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.7
nvd
CVE-2025-46406P4MEDIUMCVSS 5.6≤ 8.90≥ 9.30, < 9.30.1874 (MR1)+3 more2025-07-10
CVE-2025-46406 [MEDIUM] CWE-270 CVE-2025-46406: A Privilege Context Switching Error (CWE-270) in the Command Center Server could allow a privileged
A Privilege Context Switching Error (CWE-270) in the Command Center Server could allow a privileged Operator with high level access in one Division to perform limited privileged activities across the Division boundary.
This issue affects Command Centre Server:
9.30 prior to 9.30.1874 (MR1), 9.20 prior to 9.20.2337 (MR3), 9.10 prior to 9.10.3194 (MR
nvd
CVE-2025-48430P4MEDIUMCVSS 5.5≤ 8.90≥ 9.30, < 9.30.2482 (MR2)+3 more2025-10-23
CVE-2025-48430 [MEDIUM] CWE-248 CVE-2025-48430: Uncaught Exception (CWE-248) in the Command Centre Server allows an Authorized and Privileged Operat
Uncaught Exception (CWE-248) in the Command Centre Server allows an Authorized and Privileged Operator to crash the Command Centre Server at will.
This issue affects Command Centre Server:
9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and
nvd
CVE-2023-23584P4MEDIUMCVSS 4.3≤ 8.50≥ 8.70, < 8.70.1787 (MR2)+1 more2023-12-18
CVE-2023-23584 [MEDIUM] CWE-204 CVE-2023-23584: An observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently
An observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable.
This issue affects: Gallagher Command Centre 8.70 prior to vEL8.70.1787 (MR2), 8.60 prior to vEL8.60.2039 (MR4), all version of 8.50 and prior.
nvd
CVE-2023-23576P4MEDIUMCVSS 4.3≤ 8.50≥ 8.90, < 8.90.1620 (MR2)+3 more2023-12-18
CVE-2023-23576 [MEDIUM] CWE-696 CVE-2023-23576: Incorrect behavior order in the Command Centre Server could allow privileged users to gain physical
Incorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision.
This issue affects: Gallagher Command Centre: 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.
nvd
CVE-2026-20757P4LOWCVSS 2.5≤ 9.00≥ 9.40, < 9.40.1976(MR1)+3 more2026-03-03
CVE-2026-20757 [LOW] CWE-667 CVE-2026-20757: Improper Locking vulnerability (CWE-667) in Gallagher Morpho integration allows a privileged operato
Improper Locking vulnerability (CWE-667) in Gallagher Morpho integration allows a privileged operator to cause a limited denial-of-service in the Command Centre Server.
This issue affects Command Centre Server:
9.40 prior to vEL9.40.1976(MR1), 9.30 prior to vEL9.30.3382 (MR4), 9.20 prior to vEL9.20.3783 (MR6), 9.10 prior to vEL9.10.4647 (MR9), all v
nvd