CVE-2025-64734 identifies a vulnerability classified under CWE-772 (Missing Release of Resource after Effective Lifetime) in Gallagher's T21 Reader, a physical access control device integrated with the Command Centre Server software. The flaw arises because the reader fails to properly release resources after their effective lifetime, leading to resource exhaustion. This condition can be triggered by an attacker with physical access to the reader, causing it to enter a denial-of-service state where it no longer processes badge entries. The affected software versions include all versions of Command Centre Server 9.00 and prior, as well as specific builds of versions 9.10, 9.20, and 9.30 before their respective patch releases. The vulnerability does not require authentication or user interaction beyond physical access, and it does not compromise confidentiality or integrity of data, only availability. The CVSS v3.1 base score is 2.4, reflecting low severity due to the limited attack vector (physical access) and impact scope (single reader device). No public exploit code or active exploitation has been reported. The issue highlights the importance of resource management in embedded systems controlling physical security infrastructure. Organizations relying on Gallagher T21 Readers should monitor for vendor patches and apply updates promptly to prevent potential denial-of-service disruptions at access points.

For European organizations, the primary impact of CVE-2025-64734 is the potential denial-of-service of Gallagher T21 Readers, which could disrupt physical access control systems. This may lead to temporary inability for authorized personnel to badge into secure areas, causing operational delays and potential security risks if manual override procedures are not in place. While the vulnerability does not expose sensitive data or allow unauthorized access, the availability loss could affect critical infrastructure facilities, corporate offices, or government buildings relying on these readers. The requirement for physical access to exploit the vulnerability limits the threat to insider attackers or adversaries with physical proximity. However, in high-security environments where Gallagher products are widely deployed, such disruptions could have cascading effects on security operations and business continuity. The absence of known exploits reduces immediate risk, but organizations should remain vigilant given the potential for targeted physical attacks.

1. Apply vendor patches and updates to Command Centre Server as soon as they become available, specifically versions vCR9.30.251028a, vCR9.20.251028a, and vCR9.10.251028a or later. 2. Enhance physical security controls around T21 Readers to prevent unauthorized physical access, including surveillance, tamper detection, and restricted access zones. 3. Implement monitoring and alerting for reader malfunctions or denial-of-service conditions to enable rapid response. 4. Develop and rehearse manual access procedures or alternative authentication methods to maintain operations during reader outages. 5. Conduct regular audits of physical access control devices to identify and remediate resource management issues proactively. 6. Coordinate with Gallagher support for guidance and to confirm patch applicability in complex environments. 7. Limit physical access to readers to trusted personnel only, reducing the risk of exploitation. 8. Document incident response plans specifically addressing physical access control device failures.