CVE-2025-46406 is a medium-severity vulnerability classified under CWE-270 (Privilege Context Switching Error) affecting Gallagher's Command Centre Server, a security management platform used for access control and security operations. The vulnerability arises from improper enforcement of privilege boundaries between Divisions within the system. Specifically, a privileged Operator with high-level access in one Division could exploit this flaw to perform limited privileged actions across Division boundaries, which should normally be isolated. This cross-division privilege escalation undermines the principle of least privilege and segmentation within the Command Centre Server environment. The affected versions include all releases prior to 9.30.1874 (MR1), 9.20.2337 (MR3), 9.10.3194 (MR6), 9.00.3371 (MR7), and all versions of 8.90 and earlier. The CVSS v3.1 base score is 5.6, reflecting a medium severity with an attack vector limited to local access (AV:L), requiring low attack complexity (AC:L), low privileges (PR:L), and user interaction (UI:R). The impact primarily affects integrity (I:H) with limited availability impact (A:L) and no confidentiality impact (C:N). No known exploits are currently reported in the wild, and no official patches or mitigation links were provided at the time of publication. This vulnerability could allow unauthorized modification of security configurations or policies across Divisions, potentially leading to unauthorized access or control within the security management system.

For European organizations, especially those in critical infrastructure, government, or large enterprises using Gallagher Command Centre Server for physical security management, this vulnerability poses a risk of unauthorized privilege escalation across organizational boundaries. The ability for an operator to perform privileged actions beyond their authorized Division could lead to unauthorized access to sensitive areas, manipulation of access control policies, or disruption of security monitoring. This could compromise physical security, lead to data breaches, or facilitate insider threats. The impact is heightened in environments with strict segmentation requirements, such as multi-tenant facilities or organizations with compartmentalized security zones. Although exploitation requires local access and user interaction, the risk remains significant where operators have legitimate access to the system but should be restricted to specific Divisions. The lack of confidentiality impact reduces the risk of data leakage, but the integrity and availability of security controls could be compromised, potentially undermining trust in the security infrastructure.

European organizations should prioritize upgrading Gallagher Command Centre Server to the fixed versions: 9.30.1874 (MR1), 9.20.2337 (MR3), 9.10.3194 (MR6), or 9.00.3371 (MR7) as applicable. Until patches are available or applied, organizations should enforce strict operational controls such as limiting the number of privileged Operators with cross-Division access, implementing robust monitoring and auditing of privileged actions, and employing multi-factor authentication to reduce the risk of unauthorized use. Segmentation of administrative duties and regular review of operator privileges can help detect and prevent abuse. Additionally, organizations should conduct targeted security awareness training to ensure Operators understand the risks of cross-Division privilege misuse. Network-level controls can be used to restrict access to the Command Centre Server management interfaces to trusted hosts and networks. Finally, organizations should maintain close communication with Gallagher for updates and advisories regarding this vulnerability and any forthcoming patches or mitigations.