CVE-2024-22387

Name of the Vulnerable Software and Affected Versions Gallagher Controller 6000 and 7000 versions 8.60 and prior Gallagher Controller 6000 and 7000 versions 8.70 prior to vCR8.70.240520a Gallagher Controller 6000 and 7000 versions 8.80 prior to vCR8.80.240520a Gallagher Controller 6000 and 7000 versions 8.90 prior to vCR8.90.240520a Gallagher Controller 6000 and 7000 versions 9.00 prior to vCR9.00.240521a Gallagher Controller 6000 and 7000 versions 9.10 prior to vCR9.10.240520a

Description The issue allows an authenticated user to modify device I/O connections through the diagnostic web interface, potentially leading to unexpected behavior and compromising site physical security controls. The diagnostic web interface is intended only for diagnostic purposes and should not be enabled unless advised by Gallagher Technical support.

Recommendations For versions 8.60 and prior, consider disabling the diagnostic web interface until a patch is available. For versions 8.70 prior to vCR8.70.240520a, update to vCR8.70.240520a or later. For versions 8.80 prior to vCR8.80.240520a, update to vCR8.80.240520a or later. For versions 8.90 prior to vCR8.90.240520a, update to vCR8.90.240520a or later. For versions 9.00 prior to vCR9.00.240521a, update to vCR9.00.240521a or later. For versions 9.10 prior to vCR9.10.240520a, update to vCR9.10.240520a or later. As a temporary workaround, consider disabling the diagnostic web interface unless advised by Gallagher Technical support.