Researchers Reveal Critical Flaws in Carrier’s Industrial Access Control System


As many as eight zero-day vulnerabilities have been revealed in Carrier’s LenelS2 HID Mercury access control system widely used in healthcare, education, transportation and government.

“The vulnerabilities discovered allowed us to remotely unlock and lock doors, subvert alarms, and compromise logging and notification systems,” Trellix security researchers Steve Povolny and Sam Quinn said in a report shared with The Hacker News.

The problems, in a nutshell, can be weaponized by a malicious actor to gain full system control, including the ability to manipulate door locks. One of the bugs (CVE-2022-31481) includes an unverified external execution error that gets a 10 out of 10 for the severity of the CVSS scoring system.

Other deficiencies can lead to command injection (CVE-2022-31479, CVE-2022-31486), denial-of-service (CVE-2022-31480, CVE-2022-31482), user modification (CVE-2022-31484), and information spoofing (CVE-2022-31485) and achieving file random writing (CVE-2022-31483).

LenelS2 is used in environments to provide physical access to privileged facilities and integrate with more complex building automation implementations. The following HID Mercury access panels sold by LenelS2 are affected:

LNL-X2210 LNL-X2220 LNL-X3300 LNL-X4420 LNL-4420 S2-LP-1501 S2-LP-1502 S2-LP-2500 and S2-LP-4502

Trellix noted that by linking two of the aforementioned vulnerabilities together, it was able to remotely gain root-level privileges on the device and unlock and operate the doors, effectively undermining the system’s surveillance security.

Concurrent with the disclosure is an Industrial Control Systems (ICS) advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urging users to update access panels to the latest firmware version (CARR-PSA-006-0622).

Successful exploitation of these vulnerabilities could allow an attacker to gain access to the device, which would allow monitoring of all communications sent to and from the device, modify the built-in relays, modify configuration files, device instability, and a denial -of-service condition may occur.” the agency said into a warning.