Cybersecurity Vulnerabilities

CVE-2025-52457: Timing Attack Threatens HBUS Devices – Secure Your Gallagher Command Centre!

November 18, 2025 - By 

Overview

CVE-2025-52457 is a medium-severity vulnerability affecting HBUS devices used with Gallagher Command Centre. This vulnerability, classified as an Observable Timing Discrepancy (CWE-208), could allow an attacker with physical access to the device to extract sensitive, device-specific keys. Successful exploitation could compromise the security of the entire site protected by the system.

Technical Details

The vulnerability lies in the timing differences observed during the processing of specific operations on HBUS devices. An attacker with physical access can measure these timing variations to deduce information about the internal keys used by the device. The vulnerability stems from inconsistent execution times based on the input data, allowing for statistical analysis to reveal the secret.

Specifically, the following versions of Gallagher Command Centre Server are affected:

  • 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3))
  • 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5))
  • 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8))
  • All versions of 9.00 and prior

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-52457 is 5.7 (Medium). The CVSS vector likely includes metrics indicating the need for physical access, which limits the scope of the attack, but emphasizes the potential severity of a successful exploit.

Possible Impact

A successful exploit of CVE-2025-52457 can have serious consequences, including:

  • Compromised Site Security: Extraction of device-specific keys could allow an attacker to bypass access controls and potentially gain unauthorized access to the entire site.
  • Data Breach: Depending on the system configuration and data stored on or accessible via the HBUS devices, a data breach may occur.
  • System Disruption: An attacker could disrupt the operation of the security system, disabling alarms, locks, and other critical functions.

Mitigation or Patch Steps

Gallagher has released patched versions of Command Centre Server to address this vulnerability. It is strongly recommended that users upgrade to the following versions (or later) as soon as possible:

  • vCR9.30.251028a (distributed in 9.30.2881 (MR3))
  • vCR9.20.251028a (distributed in 9.20.3265 (MR5))
  • vCR9.10.251028a (distributed in 9.10.4135 (MR8))

Ensure you follow Gallagher’s recommended upgrade procedures. Until the upgrade is complete, consider implementing enhanced physical security measures to limit unauthorized access to HBUS devices.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *