CVE-2025-52457 identifies a timing side-channel vulnerability classified as CWE-208 (Observable Timing Discrepancy) in Gallagher HBUS devices integrated with Command Centre Server software. This vulnerability arises because the device's response times vary in a way that can be measured and analyzed by an attacker with physical access, allowing extraction of device-specific cryptographic keys. These keys are critical for securing communications and operations within the site security ecosystem managed by Gallagher's Command Centre Server. The affected software versions include all releases prior to vCR9.30.251028a (distributed in 9.30.2881 MR3), vCR9.20.251028a (distributed in 9.20.3265 MR5), vCR9.10.251028a (distributed in 9.10.4135 MR8), and all versions of 9.00 and earlier. The vulnerability does not require user interaction or prior authentication but does require physical access, increasing attack complexity. Exploitation could lead to compromise of confidentiality and integrity of the security system, potentially allowing attackers to bypass security controls or manipulate site security operations. There are no known public exploits currently, but the medium CVSS score of 5.7 reflects the significant risk posed by key extraction. Gallagher has reserved the CVE and published the vulnerability details, but no direct patch links were provided in the source data, indicating organizations must verify and apply the latest Command Centre Server updates. The vulnerability highlights the importance of securing physical access to security devices and monitoring for anomalous timing behaviors that could indicate side-channel attacks.

For European organizations, especially those managing critical infrastructure, government facilities, or large commercial sites, this vulnerability poses a risk of unauthorized access and control over physical security systems. Extraction of device-specific keys could allow attackers to impersonate legitimate devices, disable alarms, or manipulate access controls, undermining the integrity and confidentiality of site security. The requirement for physical access limits remote exploitation but raises concerns about insider threats or attackers gaining entry to secure areas. Compromise of Gallagher HBUS devices could cascade into broader security failures, affecting safety and operational continuity. Given Gallagher's market presence in Europe, particularly in countries with stringent security regulations and high adoption of integrated security solutions, the impact could be significant if unmitigated. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop techniques to leverage this timing discrepancy. Organizations could face regulatory and reputational damage if breaches occur due to this vulnerability.

1. Immediately verify the version of Gallagher Command Centre Server software in use and upgrade to the latest patched versions: vCR9.30.251028a or later for 9.30 series, vCR9.20.251028a or later for 9.20 series, and vCR9.10.251028a or later for 9.10 series. For versions 9.00 and earlier, upgrade to a supported version with the fix. 2. Restrict physical access to HBUS devices by enforcing strict access controls, surveillance, and tamper-evident measures to prevent unauthorized personnel from gaining proximity to devices. 3. Conduct regular security audits and physical inspections of security hardware to detect signs of tampering or unauthorized access. 4. Implement anomaly detection on device communications to identify unusual timing patterns or behaviors that could indicate side-channel exploitation attempts. 5. Train security personnel on the risks of physical access vulnerabilities and the importance of securing hardware components. 6. Coordinate with Gallagher support for any additional firmware or hardware mitigations that may be available. 7. Review and enhance overall physical security policies to minimize insider threat risks and unauthorized device handling. 8. Maintain an incident response plan that includes procedures for suspected physical compromise of security devices.