CVE-2025-64734 is a vulnerability classified under CWE-772, which refers to the missing release of a resource after its effective lifetime. This flaw exists in the Gallagher T21 Reader, a physical access control device integrated with the Command Centre Server software. The vulnerability arises because the reader fails to properly release certain resources after they are no longer needed, leading to resource exhaustion. An attacker with physical access to the reader can exploit this condition to trigger a denial-of-service (DoS) attack against the affected reader, effectively disabling it and preventing authorized cardholders from gaining entry through that reader. The affected software versions include all versions of Command Centre Server 9.00 and prior, as well as versions 9.10, 9.20, and 9.30 before specific patch releases (vCR9.10.251028a, vCR9.20.251028a, and vCR9.30.251028a). The vulnerability does not impact confidentiality or integrity but affects availability by rendering the reader non-functional. Exploitation requires physical access to the device, no authentication or user interaction is needed, and no known exploits have been reported in the wild. The CVSS v3.1 score of 2.4 reflects the low severity, primarily due to the limited attack vector and impact scope. The issue was published on November 18, 2025, and is currently in a published state with no patch links provided in the source data, indicating that organizations should seek updates directly from Gallagher or their vendors. This vulnerability highlights the importance of proper resource management in embedded systems to prevent DoS conditions.

For European organizations, the primary impact of CVE-2025-64734 is the potential disruption of physical access control systems relying on Gallagher T21 Readers. A successful attack could deny entry to authorized personnel, causing operational delays, security management challenges, and potential safety risks in sensitive facilities such as government buildings, critical infrastructure sites, and corporate offices. Although the vulnerability does not compromise data confidentiality or integrity, the availability impact could hinder business continuity and emergency response capabilities. Organizations with high reliance on Gallagher access control systems may face increased risk of physical security incidents or operational downtime. The requirement for physical access to exploit the vulnerability limits the threat to insiders or attackers with physical proximity, but insider threats or targeted sabotage remain concerns. The absence of known exploits reduces immediate risk but does not eliminate the need for proactive mitigation, especially in high-security environments.

European organizations should implement the following specific mitigation strategies: 1) Immediately verify the version of Gallagher Command Centre Server and T21 Reader firmware in use and prioritize upgrading to the patched versions vCR9.10.251028a, vCR9.20.251028a, or vCR9.30.251028a as applicable. 2) Restrict physical access to T21 Readers by enhancing perimeter security controls, including surveillance, access restrictions, and tamper-evident seals to prevent unauthorized physical manipulation. 3) Conduct regular physical inspections of readers to detect signs of tampering or malfunction. 4) Implement monitoring and alerting mechanisms within the access control management system to quickly identify and respond to reader outages or failures. 5) Train security personnel to recognize and respond to potential physical sabotage attempts. 6) Coordinate with Gallagher support or authorized vendors to obtain official patches and firmware updates promptly. 7) Consider deploying redundant or failover access control readers in critical entry points to maintain availability in case of device failure. These measures go beyond generic advice by focusing on physical security hardening, operational monitoring, and patch management tailored to this specific vulnerability.