SecuriTricks - CVE-2025-47699

Description

Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices. This issue affects Command Centre Server: 9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.

Product(s) Impacted

Vendor	Product	Versions
Gallagher	Command Centre Server	8.90, <9.00, <9.10, <9.20, <9.30

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	gallagher	command_centre_server	8.90	/	/	/	/	/	/	/
a	gallagher	command_centre_server	<9.00	/	/	/	/	/	/
a	gallagher	command_centre_server	<9.10	/	/	/	/	/	/
a	gallagher	command_centre_server	<9.20	/	/	/	/	/	/
a	gallagher	command_centre_server	<9.30	/	/	/	/	/	/

References

https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-47699

CVSS Score

9.9 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

View Vector String

Timeline

Published: Oct. 23, 2025, 4:16 a.m.
Last Modified: Oct. 23, 2025, 4:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

disclosures@gallagher.com

CVE-2025-47699