2N Access Commander (Update A)

Plan Patch7.2ICS-CERT ICSA-24-319-17Nov 14, 2024

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

2N Access Commander contains three vulnerabilities (CWE-22 path traversal, CWE-345 insufficient authentication, CWE-321 use of hard-coded credentials) that could allow privilege escalation, arbitrary code execution, and root access to the system. Access Commander versions 3.1.1.2 and earlier, and version 1.14 and earlier are affected.

What this means

What could happen

An attacker with elevated credentials could gain root access to the Access Commander system, allowing them to execute arbitrary commands that could alter door access controls, compromise security policies, or disrupt physical access logging across connected facilities.

Who's at risk

Organizations running physical access control systems (badge readers, door locks, turnstiles) managed by 2N Access Commander. This affects facility security teams, building management system operators, and security operations staff who depend on the system for access logging and policy enforcement.

How it could be exploited

An attacker with privileged account credentials (engineering or administrative access) could exploit hard-coded credentials or path traversal flaws to escalate privileges and gain root-level control of the Access Commander server. From there, they could modify access rules, disable logging, or inject commands into the device management system.

Prerequisites

Elevated user credentials (engineering or administrative account)
Network access to Access Commander server management interface
Knowledge of or ability to discover hard-coded credentials or exploitable authentication mechanisms

Hard-coded credentials in codePath traversal vulnerabilityInsufficient authentication controlsRequires high privilege (reduces immediate risk but critical if compromised)No patch available for version 1.14 track

Exploitability

Moderate exploit probability (EPSS 4.6%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Access Commander: <=3.1.1.2≤ 3.1.1.23.3

Access Commander: <=1.14≤ 1.143.3

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to Access Commander management interfaces using firewall rules; ensure the system is not reachable from the Internet or untrusted networks

WORKAROUNDFor systems running version 1.14 with no available patch, implement compensating controls: strict access control lists on the server, continuous monitoring of access logs, and consideration of hardware replacement if security requirements demand it

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Access Commander to version 3.3 or later from the 2N download center

HARDENINGRequire multi-factor authentication for all engineering and administrative access to Access Commander

HARDENINGConduct a security audit of Access Commander configurations to identify any use of default or weak credentials

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate the Access Commander system from business networks and the Internet

CVEs (4)

CVE-2024-47256 CVE-2024-47253 CVE-2024-47254 CVE-2024-47255

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/17fe5434-7778-482e-9109-dfaf941d875b