CVE-2026-27790
Severity: Low
CVSS scoring string: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Components affected: T20 Readers
Version of Command Centre affected:
- 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1))
- 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3))
- 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5))
- 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7))
- all versions of 9.10 and prior.
Reported by: Internal
Active exploitation of vulnerability*: No
Description of vulnerability: Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Gallagher recommends keeping the diagnostic web page disabled (which is the default), unless advised to enable it by Gallagher Technical Support. This interface is intended only for diagnostic purposes.
Mitigation: Ensure DIP switch 1 is turned OFF on all Controllers and the option, "Dipswitch 1 controls the diagnostic web interface," is not checked in Configuration Client on Controller property pages. Do not use the Controller override, "Enable WWW Connections." Refer to the Gallagher Command Centre Hardening Guide for more details.
*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.
Stay up to date with Gallagher
Get the latest Gallagher news, updates, and event information delivered straight to your inbox.