CVE-2025-35983 is a vulnerability classified under CWE-295, which pertains to improper certificate validation, found in the Gallagher Controller 7000 security system. Specifically, the flaw exists in the OneLink implementation of the Controller 7000 firmware version 9.30 prior to vCR9.30.250624a (distributed in 9.30.1871 MR1). The vulnerability allows an unprivileged attacker to exploit the improper validation of certificates during the initial configuration phase of the Controller. This can lead to a limited denial of service (DoS) or potentially allow the attacker to perform privileged overrides. However, it is important to note that once the Controller is connected and operational, this vulnerability no longer poses a risk. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L) shows that the attack can be performed remotely over the network without privileges or user interaction, but requires high attack complexity. The impact affects integrity (privileged overrides) and availability (limited DoS), but not confidentiality. No known exploits are currently reported in the wild. The vulnerability arises because the Controller 7000 does not properly validate certificates during the initial setup, potentially allowing attackers to bypass security controls or disrupt service before the device is fully configured and secured. This flaw is limited to the initial configuration phase, reducing the window of exposure but still posing a risk in environments where devices are frequently reconfigured or deployed.

For European organizations, the impact of CVE-2025-35983 can be significant, particularly for those relying on Gallagher Controller 7000 systems for physical security and access control. The ability for an attacker to perform privileged overrides during initial configuration could allow unauthorized access or manipulation of security policies, potentially compromising facility security. The limited denial of service could disrupt security operations temporarily, affecting business continuity. Although the risk is confined to the initial configuration phase, organizations with frequent device provisioning or remote deployments may be more vulnerable. This could be especially impactful in critical infrastructure sectors such as transportation, energy, and government facilities across Europe that use Gallagher products. The lack of confidentiality impact reduces the risk of data leakage, but the integrity and availability concerns remain critical for operational security. The medium severity rating suggests that while the vulnerability is not trivial, it requires specific conditions and higher attack complexity, somewhat limiting widespread exploitation. However, the remote network attack vector without authentication means that attackers could attempt exploitation during device setup remotely, which is a concern for distributed or remotely managed deployments.

To mitigate CVE-2025-35983, European organizations should: 1) Immediately update affected Gallagher Controller 7000 devices to firmware version vCR9.30.250624a or later, as this version addresses the improper certificate validation issue. 2) Implement strict network segmentation and access controls to restrict access to devices during their initial configuration phase, limiting exposure to untrusted networks or users. 3) Employ out-of-band or physically secured configuration methods where possible to prevent remote exploitation during setup. 4) Monitor network traffic and device logs closely during device provisioning for any anomalous activity indicative of attempted exploitation. 5) Establish robust device deployment procedures that include verifying firmware versions and certificate validation status before connecting devices to production networks. 6) Engage with Gallagher support for any additional security advisories or patches related to this vulnerability. 7) Consider temporary compensating controls such as disabling remote configuration interfaces until devices are fully configured and secured. These steps go beyond generic advice by focusing on securing the initial configuration window, which is the critical exposure period for this vulnerability.