CVE-2025-35981 is a vulnerability categorized under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) affecting Gallagher's Command Centre Server software versions 9.30.1874 (MR1), 9.20.2337 (MR3), and 9.10.3194 (MR6). The flaw allows a privileged operator—someone with elevated but not necessarily administrative rights—to view personal data of cardholders that they would not normally be authorized to access. This exposure stems from insufficient access control enforcement within the Command Centre Server, which manages physical access control and security operations. The vulnerability impacts confidentiality by allowing unauthorized disclosure of sensitive personal information, but it does not affect data integrity or system availability. Exploitation requires local access with privileged operator credentials, and no user interaction is needed. The CVSS 3.1 base score is 5.5 (medium severity), reflecting the limited scope and access requirements. No public exploits have been reported, and no patches are currently linked, indicating that mitigation may rely on vendor updates or configuration changes. Gallagher Command Centre Server is widely used in physical security deployments, including in critical infrastructure and enterprise environments, making this vulnerability relevant for organizations relying on this platform for access control and security management.

For European organizations, the primary impact of CVE-2025-35981 is the unauthorized disclosure of private personal information of cardholders, which could include employees, contractors, or visitors. This exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. Although the vulnerability does not allow modification or disruption of services, the leakage of sensitive data can facilitate social engineering attacks or insider threats. Organizations in sectors with stringent privacy requirements—such as finance, healthcare, government, and critical infrastructure—face heightened risks. The requirement for privileged operator access limits the attack surface but underscores the importance of strict role-based access controls and monitoring. Since Gallagher Command Centre Server is often integrated into physical security systems, unauthorized data exposure could also undermine trust in security operations and complicate incident response efforts.

European organizations should immediately review and tighten access controls for privileged operator accounts within Gallagher Command Centre Server, ensuring the principle of least privilege is strictly enforced. Implement detailed logging and monitoring of operator activities to detect any unauthorized access to personal data. Conduct regular audits of user permissions and remove unnecessary privileges. Engage with Gallagher to obtain and apply security patches or updates as soon as they become available. If patches are delayed, consider temporary compensating controls such as network segmentation to limit access to the Command Centre Server and multi-factor authentication for operator accounts. Additionally, provide security awareness training to operators about the sensitivity of personal data and the importance of adhering to access policies. Finally, ensure compliance with GDPR by documenting the vulnerability, impact assessments, and mitigation steps taken.