HID-based access control products Mercury controllers have serious flaws that can be used by hackers to unlock doors remotely.
Researchers at XDR business Trellix, which emerged earlier this year following the merging of McAfee Enterprise and FireEye, uncovered the flaws. The flaws were discovered in LenelS2 devices — a physical security division of HVAC giant Carrier — but Trellix said it had proof from HID Global that all OEM partners who use particular hardware controllers are impacted.
Trellix researchers discovered eight vulnerabilities, seven of which were classified as “critical” or “high” in severity. Remote code execution, command injection, denial-of-service (DoS), information spoofing, and writing arbitrary files are all possible exploits.