Researchers Disclose Critical Flaws in Industrial Access Control System from Carrier


Industrial Access Control System from Carrier

As many as eight zero-day vulnerabilities have been disclosed in Carrier’s LenelS2 HID Mercury access control system that’s used widely in healthcare, education, transportation, and government facilities.

“The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems,” Trellix security researchers Steve Povolny and Sam Quinn said in a report shared with The Hacker News.

The issues, in a nutshell, could be weaponized by a malicious actor to gain full system control, including the ability to manipulate door locks. One of the bugs (CVE-2022-31481) includes an unauthenticated remote execution flaw that’s rated 10 out of 10 for severity on the CVSS scoring system.

Read more…