OTPulse

Carrier LenelS2 HID Mercury access panels

Plan PatchCVSS 10ICS-CERT ICSA-22-153-01Jun 2, 2022
Carrier
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Multiple vulnerabilities in HID Mercury access panels sold by LenelS2 allow remote attackers to gain unauthorized access to the device without credentials. Successful exploitation could enable an attacker to eavesdrop on all communications to and from the panel, modify onboard relays to alter access control state, change configuration files, cause device instability, or trigger denial of service. The vulnerabilities stem from improper access controls (CWE-693, CWE-425), buffer overflows (CWE-120), path traversal (CWE-22), and command injection (CWE-78).

What this means
What could happen
An attacker with network access to these panels could read all communications to and from the device, modify relay states to alter physical access control, change configuration files, or crash the device—effectively disabling access control systems.
Who's at risk
Building and facility managers, security operations teams, and IT staff responsible for access control systems. This affects all HID Mercury LenelS2 access control panels (models LNL-X2210, LNL-X2220, LNL-X3300, LNL-X4420, LNL-4420, S2-LP-1501, S2-LP-4502, S2-LP-2500, S2-LP-1502) used to control physical door locks and entry points.
How it could be exploited
An attacker reaches the device over the network, exploits one of the underlying vulnerabilities (input validation, path traversal, buffer overflow, command injection, or improper access controls) to gain unauthorized access to the web interface or management functions, then reads configuration, modifies relay outputs, or disrupts normal operation.
Prerequisites
  • Network access to the device on the management/web access port
  • Device must be reachable from attacker's network segment or the Internet (if not firewalled)
  • No authentication required for initial exploitation
Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects security-critical systems (physical access control)High CVSS (10.0)
Exploitability
Some exploitation risk — EPSS score 9.1%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (9)
9 EOL
ProductAffected VersionsFix Status
HID Mercury access panels sold by LenelS2 - LNL-X3300LNL-X3300No fix (EOL)
HID Mercury access panels sold by LenelS2 - LNL-4420LNL-4420No fix (EOL)
HID Mercury access panels sold by LenelS2 - S2-LP-1501S2-LP-1501No fix (EOL)
HID Mercury access panels sold by LenelS2 - S2-LP-4502S2-LP-4502No fix (EOL)
HID Mercury access panels sold by LenelS2 - S2-LP-2500S2-LP-2500No fix (EOL)
HID Mercury access panels sold by LenelS2 - LNL-X2210LNL-X2210No fix (EOL)
HID Mercury access panels sold by LenelS2 - LNL-X2220LNL-X2220No fix (EOL)
HID Mercury access panels sold by LenelS2 - LNL-X4420LNL-X4420No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDDisable web access on access panels by configuring them according to CARR-PSA-006-0622 instructions; require in-person or out-of-band login for configuration changes
HARDENINGEnsure all access control devices are behind firewalls and isolated from the business network; block any Internet-facing access to these panels
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware on all HID Mercury access panels to the latest version available from the LenelS2 Partner Center via Carrier support channels
HARDENINGIf remote access to panels is required, implement secure methods such as VPN with current patches and strong authentication
View full CISA ICS-CERT advisory
API: /api/v1/advisories/3f0e5e05-2a2e-4095-a9d8-f9be271fb0a8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.