Uniqcli Security
← Advisories
CriticalHID Global (Mercury) / LenelS2 / CarrierJune 6, 2022

HID Mercury LP/EP Intelligent Controllers: Unauthenticated Buffer Overflow Enables Remote Code Execution and Door Control

CVE-2022-31481

Summary

A defect in the firmware update handler of HID Mercury LP- and EP-series intelligent controllers lets an unauthenticated attacker on the network send a crafted update file that overflows a buffer and runs arbitrary code with full privileges on the panel. Because these panels are the brains behind the readers and door strikes, code execution translates directly into the ability to unlock doors, suppress alarms, rewrite configuration, and erase audit trails. The same OEM controller board ships rebadged under LenelS2 and Carrier part numbers, so a single unpatched firmware image exposes a large installed base across federal and enterprise sites.

Affected products

HID Mercury LP1501 (firmware < 1.302)HID Mercury LP1502 (firmware < 1.302)HID Mercury LP2500 (firmware < 1.302)HID Mercury LP4502 (firmware < 1.302)HID Mercury EP4502 (firmware < 1.296)LenelS2 LNL-4420 (firmware < 1.296)LenelS2 LNL-X2210 / LNL-X2220 / LNL-X3300 / LNL-X4420 (firmware < 1.302)

Impact

An attacker with network reachability to the controller can achieve pre-authentication remote code execution (CVSS 3.1 base 10.0, vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Consequences include remotely toggling door relays to grant or deny entry, disabling intrusion and tamper notifications, modifying onboard configuration, and inducing denial-of-service on the access control head end. Compromise of the controller undermines the integrity of every credential decision and event log it produces.

Remediation

Update affected LP-series panels to firmware 1.302 or later and EP-series panels to 1.296 or later; LenelS2 and Carrier-branded equivalents take the fix through the LenelS2 Partner Center or your OEM channel. Place all controllers on a dedicated, segmented access-control VLAN with no direct internet exposure, enforce TLS between controller and host, and restrict management access to a hardened jump host. Uniqcli Security can inventory your controller fleet against this CVE, stage and validate the firmware, and where panels are end-of-life or unsupported, design a TAA-compliant Mercury MP or OSDP-secure replacement path.

Sources

Want us to handle it?

We patch, harden or replace affected devices and document the closeout.

Request a fleet scan
Stay ahead of it

Scan your fleet for vulnerable or banned devices.

Tell us what you need secured. We'll confirm compliance, design the system, and quote it — no payment up front.

Get a quoteSchedule an assessment