CVE-2025-52457 identifies a timing side-channel vulnerability (CWE-208) in Gallagher HBUS devices integrated with the Command Centre Server software. The vulnerability arises from observable timing discrepancies during cryptographic operations that allow an attacker with physical access to the device to infer device-specific keys. These keys are critical for securing communications and access control at the site level, meaning their compromise could lead to unauthorized access or manipulation of security systems. The affected software versions include all 9.00 and prior versions, and specific releases of 9.10, 9.20, and 9.30 prior to their respective patched builds (vCR9.xx.251028a). The CVSS 3.1 score is 5.7 (medium), reflecting the requirement for physical access and high attack complexity, but with significant confidentiality and integrity impact. No authentication or user interaction is needed, but the attacker must be physically present at the device. Gallagher has acknowledged the issue and released patches in later maintenance releases (MR3, MR5, MR8) for the affected versions. No public exploits have been reported, but the vulnerability poses a risk to environments where physical security is weak or where attackers could gain temporary device access. The timing discrepancy likely involves subtle differences in processing time during cryptographic key handling, which can be measured and analyzed to recover secret keys. This side-channel attack vector is particularly concerning for security devices that rely on hardware-based keys for site-wide protection.

For European organizations, especially those in critical infrastructure sectors such as government facilities, transportation hubs, energy plants, and large enterprises using Gallagher HBUS devices, this vulnerability could lead to significant security breaches. Extraction of device-specific keys compromises the confidentiality and integrity of access control systems, potentially allowing attackers to bypass physical security controls, manipulate access logs, or disable alarms. This could result in unauthorized physical access, data breaches, or sabotage. The requirement for physical access limits remote exploitation but raises concerns in environments with insufficient physical security or insider threats. The impact is heightened in countries with widespread deployment of Gallagher security solutions in sensitive facilities. Additionally, compromised keys could facilitate lateral movement within a site’s security infrastructure, amplifying the threat. The absence of known exploits suggests limited current risk, but the potential for targeted attacks remains. Organizations may face regulatory and compliance consequences if such breaches occur, particularly under GDPR and other European security regulations.

1. Immediately upgrade Gallagher Command Centre Server to the patched versions: 9.30.2881 (MR3), 9.20.3265 (MR5), or 9.10.4135 (MR8) or later, as applicable. 2. Conduct a thorough physical security assessment of all locations housing HBUS devices to prevent unauthorized physical access. 3. Implement tamper-evident seals and intrusion detection mechanisms on devices to detect and deter physical attacks. 4. Regularly audit and monitor device logs and network traffic for anomalies indicating potential key extraction attempts or unauthorized access. 5. Restrict access to devices to trusted personnel only and enforce strict access control policies. 6. Consider deploying additional layers of cryptographic protection or hardware security modules (HSMs) if supported. 7. Train security staff to recognize signs of physical tampering and respond promptly. 8. Maintain an incident response plan that includes procedures for suspected key compromise. 9. Engage with Gallagher support for guidance on secure configuration and future firmware updates. 10. Review and update physical and cybersecurity policies to address side-channel attack vectors.