Awaiting thorough analysis, a significant vulnerability in Brivo ACS100 and ACS300 has been unveiled, exposing an OS Command Injection flaw that allows potential attackers to bypass physical security. The vulnerability stems from an improper neutralization of special elements used in an OS Command (‘OS Command Injection’). This flaw impacts ACS100 (Network Adjacent Access) and ACS300 (Physical Access) versions ranging from 5.2.4 to 6.2.4.3.
The severity of this issue is underscored by the divergence between the NIST CVSS score and the CNA score from Security Risk Advisors. While NIST awaits providing a score, the CNA rates it at 9.0, marking it as a critical vulnerability. Despite the absence of an official NVD CVSS score, the urgency to address this vulnerability is paramount, necessitating immediate attention and remediation measures.
Organizations utilizing Brivo ACS100 and ACS300 are advised to stay vigilant, pending the official analysis results, and prepare for potential security updates or mitigations to prevent the exploitation of this critical OS Command Injection flaw.