Our 2027 Security Industry Trends Survey is now live. Add your insights to the conversion. Take the survey now

CVE-2026-27844

Severity: Low

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Components affected: Controller 7000 and Controller 6000

Version of Command Centre affected: 

  • 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1))
  • 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3))
  • 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5))
  • 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7))
  • all versions of 9.10 and prior.

Reported by: Internal

Active exploitation of vulnerability*: No

Description of vulnerability: Uncaught Exception (CWE-248) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to trigger a Controller restart by sending specific requests, resulting in a temporary denial of service. 
Gallagher recommends keeping the diagnostic web page disabled (which is the default), unless advised enabling it by Gallagher Technical Support. This interface is intended only for diagnostic purposes.

Mitigation: Ensure DIP switch 1 is turned OFF on all Controllers and the option, "Dipswitch 1 controls the diagnostic web interface," is not checked in Configuration Client on Controller property pages. Do not use the Controller override, "Enable WWW Connections." Refer to the Gallagher Command Centre Hardening Guide for more details.

*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.

 

Stay up to date with Gallagher

Get the latest Gallagher news, updates, and event information delivered straight to your inbox.