HID Global recently disclosed a security advisory (ICSA-24-037-01) on February 6, 2024, addressing an Improper Authorization vulnerability with a CVSS v3 score of 5.9. The flaw, affecting HID products like iCLASS SE and OMNIKEY when configured as encoders, poses a risk of unauthorized access to reader configuration cards and credentials. This exploitation could lead to the creation of malicious configuration cards or credentials. The critical vulnerability demands immediate attention, and HID recommends users take protective measures outlined in the advisory.
Affected products, including iCLASS SE CP1000 Encoder, iCLASS SE Readers, and OMNIKEY 5427CK Readers, necessitate prompt mitigation. HID advises safeguarding reader configuration cards, updating credentials, and disabling legacy technologies to minimize risks. Additionally, recommendations for hardening iCLASS SE Readers and OMNIKEY Readers against configuration changes are provided. CISA supports these measures and encourages organizations to implement defensive strategies, including minimizing network exposure and utilizing secure remote access methods.
While no known public exploitation has been reported, organizations are urged to follow CISA’s guidance for proactive defense. This advisory underscores the importance of timely action to secure HID Global Encoders and protect against potential unauthorized access and data compromise.
