Gallagher

By the Year

In 2026 there have been 4 vulnerabilities in Gallagher with an average score of 5.5 out of ten. Last year, in 2025 Gallagher had 8 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Gallagher in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.39

Recent Gallagher Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-25193	May 25, 2026	Gallagher CommandCentre Service Leaks ServiceAccount Credentials to Log Files Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted. Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\Gallagher\Command Centre.	Command Centre
CVE-2026-20801	Mar 03, 2026	Cleartext Tx Enables Unprivileged View in Gallagher VMS Integrations <9.10.017/025 Cleartext Transmission of Sensitive Information (CWE-319) in a component used in the Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations allows unprivileged users with local network access to view live video streams. This issue affects all versions of Gallagher NxWitness VMS integration prior to 9.10.017 and Gallagher Hanwha VMS integration prior to 9.10.025.
CVE-2026-20757	Mar 03, 2026	Gallagher Command Centre Server < vEL9.40.1976 Improper Locking DoS (CWE-667) Improper Locking vulnerability (CWE-667) in Gallagher Morpho integration allows a privileged operator to cause a limited denial-of-service in the Command Centre Server. This issue affects Command Centre Server: 9.40 prior to vEL9.40.1976(MR1), 9.30 prior to vEL9.30.3382 (MR4), 9.20 prior to vEL9.20.3783 (MR6), 9.10 prior to vEL9.10.4647 (MR9), all versions of 9.00 and prior.	Command Centre
CVE-2025-47147	Mar 03, 2026	Command Centre Mobile Client: Cleartext Session Token (CWE-312) before 9.40.123 Cleartext Storage of Sensitive Information (CWE-312) in the Command Centre Mobile Client on Android and iOS could allow an attacker with access to a logged-in Operator's mobile device to extract the session token and exploit access for a limited duration. This issue affects Command Centre Mobile Client versions prior to 9.40.123.	Command Centre
CVE-2025-64734	Nov 18, 2025	Command Centre Server v<=9.30 Missing Resource Release Allows Physical DoS Missing Release of Resource after Effective Lifetime (CWE-772) in the T21 Reader allows an attacker with physical access to the Reader to perform a denial-of-service attack against that specific reader, preventing cardholders from badging for entry. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)),  all versions of 9.00 and prior.
CVE-2025-52578	Nov 18, 2025	High Sec ELM Command Centre Server PRNG Seed CVE-2025-52578 (v<9.30.251028) Incorrect Usage of Seeds in Pseudo-Random Number Generator (CWE- 335) vulnerability in the High Sec ELM may allow a sophisticated attacker with physical access, to compromise internal device communications. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)), all versions of 9.00 and prior.
CVE-2025-52457	Nov 18, 2025	HBUS Timing Leak via Command Centre Server <CR9.30.251028a Observable Timing Discrepancy (CWE-208) in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)), all versions of 9.00 and prior.
CVE-2025-48430	Oct 23, 2025	Command Centre Server CVE-2025-48430: Uncaught Exception Crashes < vEL9.30.2482 Uncaught Exception (CWE-248) in the Command Centre Server allows an Authorized and Privileged Operator to crash the Command Centre Server at will. This issue affects Command Centre Server: 9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.	Command Centre
CVE-2025-48428	Oct 23, 2025	Gallagher Command Centre Server 9.20.2819 Cleartext Signing Key Exposure Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow an authenticated user with access to the Command Centre Server to export a specific signing key while in use allowing them to deploy a compromised or counterfeit device on that site. This issue affects Command Centre Server: 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.	Command Centre
CVE-2025-47699	Oct 23, 2025	Command Centre Server: Authed Ops Can Alter Morpho Devices Before 9.30.2482 Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices. This issue affects Command Centre Server: 9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.	Command Centre