Connect with us

Hi, what are you looking for?


IoT Security

Vulnerabilities in HID Mercury Access Controllers Allow Hackers to Unlock Doors

Access control products using HID Mercury controllers are affected by critical vulnerabilities that can be exploited by hackers to remotely unlock doors.

Access control products using HID Mercury controllers are affected by critical vulnerabilities that can be exploited by hackers to remotely unlock doors.

The vulnerabilities were discovered by researchers at XDR firm Trellix, which launched earlier this year following the merger of McAfee Enterprise and FireEye.

The issues were found in products from LenelS2 — a subsidiary of HVAC giant Carrier that specializes in physical security solutions — but Trellix said it received confirmation from HID Global that all OEM partners that use certain hardware controllers are affected.

Trellix researchers identified a total of eight vulnerabilities, seven of which have been assigned “critical” or “high” severity ratings. The flaws can be exploited for remote code execution, command injection, denial-of-service (DoS), information spoofing, and writing arbitrary files.

Most of these vulnerabilities can be exploited without authentication, but exploitation requires a direct connection to the targeted system. Sam Quinn, senior security researcher at Trellix, told SecurityWeek that these systems should not be exposed to the internet.

“Best practices are that these [systems] are behind a firewall and not directly connected to the internet, but it’s possible this practice is not always the case in the wild. Users should be sure installation guidelines are followed,” Quinn explained.

The cybersecurity firm’s analysis involved hardware hacking and reverse engineering of software. Its researchers then created a proof-of-concept (PoC) exploit that shows how an attacker can unlock any door and subvert monitoring systems. A video shows the exploit in action.

Advertisement. Scroll to continue reading.

Trellix told SecurityWeek that it plans on releasing a series of detailed technical blogs describing these vulnerabilities in the upcoming weeks.

Carrier has released an advisory to inform customers about the availability of patches (firmware updates) and mitigations.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also published an advisory to inform organizations about the risk posed by the vulnerabilities.

Related: Hackers Can Open Doors by Exploiting Vulnerabilities in Hörmann Device

Related: Unpatched Flaws in Building Access System Allow Hackers to Create Fake Badges

Related: Vulnerability in IDEMIA Biometric Readers Allows Hackers to Unlock Doors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.