Critical vulnerabilities affecting HID Mercury controllers

June 16, 2022

Multiple critical vulnerabilities are affecting HID Mercury™ intelligent controllers LP1501, LP1502, LP2500, LP4502, and EP4502

Risk assessment

These vulnerabilities can lead to malicious actors gaining the ability to manipulate door locks, subvert alarms, and undermine logging and notification systems. Other shortcomings could lead to command injection, denial-of-service, user modification, and information spoofing as well as achieving arbitrary file writing. The CVSS score for those vulnerabilities is 10 (critical).

For more details, please see the CISA advisory on the topic.

Recommendation

HID Mercury recommends upgrading all LP1501, LP1502, LP2500, and LP4502 intelligent controllers to firmware version 1.30.3. EP4502 should be updated to version 1.29.7.

All Mercury firmware, as well as related articles, are available on the Genetec Technical Assistance Portal (GTAP).

To log in to the Genetec Portal, you must be a Security Center user with the appropriate credentials. If you don't have access credentials, please contact channelsales@genetec.com.