A critical vulnerability, identified as CVE-2025-47699, has been discovered in the Gallagher Morpho integration, rated with a CVSS score of 9.9. This flaw allows an authenticated attacker with limited permissions to access sensitive system information, which can then be used to escalate privileges and gain full administrative control. Successful exploitation could lead to a complete compromise of the physical access control system, enabling unauthorized access to secure facilities and sensitive data.

The vulnerability is an Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497). An authenticated operator with low-level permissions can exploit this flaw to access sensitive configuration data or credentials that should be restricted to high-privilege administrators. By leveraging this exposed information, the attacker can bypass security controls and escalate their privileges, ultimately allowing them to perform critical, unauthorized actions as a full administrator, leading to a complete system compromise.

This vulnerability presents a critical risk to the organization, reflected by its 9.9 CVSS score. Exploitation could lead to a complete failure of the physical security posture managed by the Gallagher system. Potential consequences include unauthorized physical access to restricted areas, data centers, or sensitive research facilities, theft of physical assets and intellectual property, and sabotage of critical infrastructure. The compromise of biometric and personal data could also result in significant regulatory fines and severe reputational damage.

Immediate Action: Immediately apply the security patches provided by the vendor to update the Gallagher Morpho integration to the latest, non-vulnerable version. After patching, review system access logs for any anomalous activity originating from low-privilege operator accounts that may indicate prior exploitation attempts.

Proactive Monitoring: Implement enhanced monitoring on the Gallagher Command Centre and related servers. Specifically, look for unusual API calls from operator accounts, attempts to access or modify system configurations outside of normal duties, and unexpected privilege escalation events. Configure alerts for any changes to administrative account credentials or permissions.

Compensating Controls: If immediate patching is not feasible, implement compensating controls. Strictly enforce the principle of least privilege, ensuring operator accounts have the absolute minimum permissions required for their roles. Isolate the Gallagher system servers through network segmentation to limit access. Increase the verbosity of logging and implement real-time alerting for any administrative functions being performed on the system.

Public Exploit Available: false

Given the critical CVSS score of 9.9, this vulnerability must be treated as the highest priority for remediation. The potential for a low-privilege user to achieve full system compromise presents an unacceptable risk to both physical and information security. We strongly recommend applying the vendor-supplied patch to all affected systems immediately. Although this CVE is not currently listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion and a high-value target for attackers.