ICSA-22-153-01 · Published 2022-06-02 · View on CISA ICS-CERT ↗

Carrier LenelS2 HID Mercury access panels

CVSS 10.0 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.

CVEs (8)

CVE-2022-31479 CVE-2022-31480 CVE-2022-31481 CVE-2022-31482 CVE-2022-31483 CVE-2022-31484 CVE-2022-31485 CVE-2022-31486

Remediations

Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions.
The controller can also be configured to disable web access, which prevents remote login into the controller's webpage. To log in, see the specific instructions in CARR-PSA-006-0622
Carrier has published CARR-PSA-006-0622 to notify users about these vulnerabilities, providing additional mitigation instructions.

Affected Vendors

Carrier LenelS2

Affected Products (9)

Carrier LenelS2 · HID Mercury access panels sold by LenelS2 LNL-X2210

Carrier LenelS2 · HID Mercury access panels sold by LenelS2 LNL-X2220

Carrier LenelS2 · HID Mercury access panels sold by LenelS2 LNL-X3300

Carrier LenelS2 · HID Mercury access panels sold by LenelS2 LNL-X4420

Carrier LenelS2 · HID Mercury access panels sold by LenelS2 LNL-4420

Carrier LenelS2 · HID Mercury access panels sold by LenelS2 S2-LP-1501

Carrier LenelS2 · HID Mercury access panels sold by LenelS2 S2-LP-4502

Carrier LenelS2 · HID Mercury access panels sold by LenelS2 S2-LP-2500

Carrier LenelS2 · HID Mercury access panels sold by LenelS2 S2-LP-1502

Affected Sectors

Commercial Facilities

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more