2N Access Commander (Update A)

Plan PatchCVSS 7.2ICS-CERT ICSA-24-319-17Nov 14, 2024

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

2N Access Commander versions 3.1.1.2 and earlier contain multiple vulnerabilities (path traversal, weak cryptographic storage, and missing access controls) that allow an attacker with administrative credentials to escalate privileges, execute arbitrary code, and gain root access to the system. These vulnerabilities affect all deployments and are remediated in version 3.3.

What this means

What could happen

An attacker with administrative credentials could escalate privileges to gain root access, execute arbitrary code on Access Commander, and potentially control or disrupt door access systems and related authentication infrastructure across your facility.

Who's at risk

This affects organizations running 2N Access Commander for physical access control and door management systems. Access control system operators and IT staff managing access credentials should prioritize this, particularly if the system is reachable from the network or if administrative credentials are shared across multiple personnel.

How it could be exploited

An attacker with administrative access to Access Commander (via compromised credentials or local network access) could exploit vulnerabilities in privilege escalation, hard-coded secrets, and path traversal to execute arbitrary commands with root-level permissions on the system.

Prerequisites

Administrative credentials for Access Commander
Network access to the Access Commander system (can be internal IT network or direct if internet-exposed)

remotely exploitablehigh-privilege credentials requiredaffects physical security and access control systemsprivilege escalation to root access possiblearbitrary code execution possible

Exploitability

Some exploitation risk — EPSS score 5.4%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Access Commander: <=3.1.1.2≤ 3.1.1.23.3

Access Commander: <=1.14≤ 1.143.3

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to Access Commander management interface to authorized engineering and IT networks only; block direct internet access to the system

HARDENINGEnforce strong, unique administrative passwords for Access Commander accounts and implement multi-factor authentication if supported

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Access Commander to version 3.3 or later

Long-term hardening

0/1

HARDENINGSegment Access Commander onto a dedicated network or VLAN separate from general IT business networks

CVEs (4)

CVE-2024-47256 CVE-2024-47253 CVE-2024-47254 CVE-2024-47255

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/17fe5434-7778-482e-9109-dfaf941d875b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.