8 zero-day vulnerabilities discovered in popular industrial control system from Carrier – The Record by Recorded Future
Eight zero-day vulnerabilities affecting a popular industrial control provided by Carrier have been identified and patched, according to security researchers from Trellix who discovered the issues.
The vulnerabilities affect the LenelS2 Mercury access control panel, which is used to grant physical access to facilities and integrate with more complex building automation deployments.
Carriers LenelS2 Mercury access control panels are widely used across hundreds of companies in the healthcare, education, and transportation industries as well as federal government agencies and organizations.
Trellix said they combined both known and novel techniques that allowed them to hack the system, achieve root access to the devices operating system and pull firmware for emulation and vulnerability discovery.
Carrier associate director of product security architecture Joshua Jessurun disputed the idea that these are zero-day vulnerabilities but told The Record that his team worked with Trellix on remediating the issues and released an advisory with detailed guidelines on what users need to do to address the vulnerabilities. Some of the issues need to be mitigated while most are addressed in firmware updates.
The Cybersecurity and Infrastructure Security Agency (CISA) released its own advisory on the issues which are tagged as CVE-2022-31479, CVE-2022-31480, CVE-2022-31481, CVE-2022-31482, CVE-2022-31483, CVE-2022-31484, CVE-2022-31485, CVE-2022-31486 with most carrying CVSS scores above 7.5.
CISA explained that exploitation of the bugs would give an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.
Trellix security researchers Steve Povolny and Sam Quinn said they anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux Operating System and root access to the board could be achieved by leveraging classic hardware hacking techniques.
While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology. Furthermore, this product has been approved for U.S. Federal Government use following rigorous security vulnerability and interoperability testing, the two explained, noting that they took their findings to CISA after discovery.
Using the manufacturers built-in ports we were able to manipulate on-board components and interact with the device. Through reverse engineering and live debugging, we discovered six unauthenticated and two authenticated vulnerabilities exploitable remotely over the network.
They managed to bypass security measures by utilizing hardware hacking techniques to force the system into desired states.
The two explained that by chaining just two of the vulnerabilities together, they were able to exploit the access control board and gain root level privileges on the device remotely.
With this level of access, we created a program that would run alongside of the legitimate software and control the doors. This allowed us to unlock any door and subvert any system monitoring, they said.
Most significantly, the vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems.
They added that customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors, which could lead to both digital or physical breaches of sensitive information and protected locations.
The two noted that the tools were added to the Government Service Administration (GSA) Approved Product List (APL) and were approved for federal government use, giving the impression that the product was highly vetted.
It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment, Povolny and Quinn said.
Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.
See the original post here:
8 zero-day vulnerabilities discovered in popular industrial control system from Carrier - The Record by Recorded Future
- Firings at CBS' '60 Minutes' reflect the fight for media control in the age of Trump - NPR - June 5th, 2026 [June 5th, 2026]
- The Trumpers Are Taking Over the Media: We Can Do Something Other than Whine - cepr.net - June 5th, 2026 [June 5th, 2026]
- Commentary: In collision between money and news, we lose Llewellyn King - Jacksonville Journal-Courier - June 5th, 2026 [June 5th, 2026]
- Jimmy Kimmel on Trump: Our most out-of-control relative on social media - The Guardian - June 5th, 2026 [June 5th, 2026]
- Virgin Media O2s Digital Wellbeing Strategy: Helping you take back control of your time online - Virgin Media - June 5th, 2026 [June 5th, 2026]
- Estuary Series Green Hippo | Next-Gen Media Control Platform for Live Productions - Digital Studio India - May 29th, 2026 [May 29th, 2026]
- Nuns have always sat between freedom and control. Now theyre in the social media spotlight - The Conversation - May 27th, 2026 [May 27th, 2026]
- Explosions heard near Strait of Hormuz, local media says Bandar Abbas situation under control - The Economic Times - May 27th, 2026 [May 27th, 2026]
- Pest Control Company Accused of Running Over & Killing Stray Dog in Johor - Gempak - May 22nd, 2026 [May 22nd, 2026]
- Panasonic acquires Hive to expand immersive media and control capabilities - Inavate - May 20th, 2026 [May 20th, 2026]
- Belichicks family snaps after 24-year-old girlfriend files 18 LLCs and gets media control - MSN - May 20th, 2026 [May 20th, 2026]
- Governments May Shape What AI Chatbots Say by Shaping the Web They Learn From - UC San Diego Today - May 16th, 2026 [May 16th, 2026]
- State media control impacts the output of U.S.-based LLMs - Good Authority - May 16th, 2026 [May 16th, 2026]
- Media Links integrates Xscend IP Transport Platform with DataMiner to enhance visibility and control across multi-vendor networks - Prensario... - May 16th, 2026 [May 16th, 2026]
- State Influence on AI: Tracing the Impact of Media Control - Devdiscourse - May 16th, 2026 [May 16th, 2026]
- IRGC-linked media outlines plan to tax and control undersea internet cables in the Hormuz Strait Iran's mouthpiece calls for a cut of $10 trillion of... - May 11th, 2026 [May 11th, 2026]
- Police consider new ways to 'control their narrative ' in 'depleted media landscape' - RNZ - May 11th, 2026 [May 11th, 2026]
- Narratives At War: Media Framing, Discourse, And Control In The Iran Conflict Analysis - Eurasia Review - May 7th, 2026 [May 7th, 2026]
- No journalist will stay in jail without committing crime: Info minister - The Daily Star - May 3rd, 2026 [May 3rd, 2026]
- Todd Monken Press Conference: "The easiest thing to control is our effort" - Cleveland Browns - April 23rd, 2026 [April 23rd, 2026]
- Michael Jacksons nephew slams critics over biopic, says media no longer 'controls the narrative' - Latest news from Azerbaijan - April 23rd, 2026 [April 23rd, 2026]
- New law on social media in Azerbaijan: how the authorities are strengthening control over society - JAMnews - April 23rd, 2026 [April 23rd, 2026]
- Iran rebuffs Trump's plan for new round of peace talks, state media reports - CNBC - April 21st, 2026 [April 21st, 2026]
- Narrative at Arms: Framing, Discourse, and Media Control in the Iran War - Geopolitical Monitor - April 19th, 2026 [April 19th, 2026]
- John Curley Says The Medias Blame Game Is Out of Control - MyNorthwest.com - April 19th, 2026 [April 19th, 2026]
- Mass. Gov. Healey plan aims to limit out of control youth social media use - MassLive - April 19th, 2026 [April 19th, 2026]
- Charlotte, NC Imam John Yahya Ederer: 9/11 Was All About Diverting Attention From The 'Evil' Of Zionism As Zionist Control Of The Narrative Through... - April 10th, 2026 [April 10th, 2026]
- From broadsheet editors to influencers: How has control over the media shifted? - The Boar - April 5th, 2026 [April 5th, 2026]
- Speaker Papuashvili: UNM once again; same architects of torture, racketeering, and media control resurface with same agenda - 1TV.GE - April 5th, 2026 [April 5th, 2026]
- Iranian media: Iran can control the Strait of Hormuz for several years - Apa.az - April 5th, 2026 [April 5th, 2026]
- Michigan Gaming Control Board and King Media Win Gold Shorty Impact Award for "Don't Regret the Bet" Campaign - State of Michigan (.gov) - April 3rd, 2026 [April 3rd, 2026]
- Right-wing media figures have insisted Iran cannot be in control of the Strait of Hormuz. Trump just signaled he wants to end the war without... - April 3rd, 2026 [April 3rd, 2026]
- Iran train in Turkey with tight media control ahead of World Cup warm-ups - Reuters - March 26th, 2026 [March 26th, 2026]
- 5 simple tech tips to take back control of your social media - Kurt the CyberGuy - March 26th, 2026 [March 26th, 2026]
- How the US, Israel & Iran are controlling their media narratives - The New Arab - March 26th, 2026 [March 26th, 2026]
- Hegseth, Media Control, and the War on TruthJournalism Under Fire in 2026 - savageminds.substack.com - March 22nd, 2026 [March 22nd, 2026]
- The Ellisons Empire: Media Consolidation, Narrative Control, and the Threat to Democracy - Nonprofit Quarterly - March 18th, 2026 [March 18th, 2026]
- Be the one in control: Why are more countries leaning towards banning social media access for kids? - CNA - March 18th, 2026 [March 18th, 2026]
- TRUMP BRAGS About Getting Fascist Control of the Media in BONKERS Truth Social Post - Daily Kos - March 15th, 2026 [March 15th, 2026]
- Pete Hegseth Openly Yearns For Government Control of the Media, and Admits to Committing War Crimes - Daily Kos - March 15th, 2026 [March 15th, 2026]
- Media Control and NielsenIQ BookData to Publish BookTok Charts for the U.K. - Publishing Perspectives - March 13th, 2026 [March 13th, 2026]
- Big tech has defeated everything for 30 years, but for the first time faces something it can't control: a jury - Fortune - March 13th, 2026 [March 13th, 2026]
- Media: Strait of Hormuz tanker traffic crashes as Iran tightens control - Caliber.Az - March 11th, 2026 [March 11th, 2026]
- Aga Khan Exits Nation Media Group After 66 Years as Tanzanias Rostam Azizi Takes Control - Capitalfm.co.ke - March 11th, 2026 [March 11th, 2026]
- Committee to Protect Journalists Urges Taliban to Return Control of Rah-e-Farda TV to Its Owner - Hasht-e Subh Daily - March 7th, 2026 [March 7th, 2026]
- Tehran fires at Turkey, Nato shield. US media: ground offensive of thousands of Kurds begun - Il Sole 24 ORE - March 7th, 2026 [March 7th, 2026]
- Boyfriend, 20, accused of controlling who partner spoke to and her social media use - The Western Telegraph - March 4th, 2026 [March 4th, 2026]
- Everything Larry and David Ellison Will Control If Paramount Buys Warner Bros. - WIRED - March 2nd, 2026 [March 2nd, 2026]
- You have to wonder who is in control of our social media - Northern News - February 26th, 2026 [February 26th, 2026]
- Fast-growing esports group Veloce in $61M deal with SEGG Media - Stock Titan - February 16th, 2026 [February 16th, 2026]
- Australias political and media elites are losing control of the story - Pearls and Irritations - February 16th, 2026 [February 16th, 2026]
- MindStir Media's The Hands-On Author: Taking Control of Your - openPR.com - February 9th, 2026 [February 9th, 2026]
- Exposed Moltbook Database Let Anyone Take Control of Any AI Agent on the Site - 404 Media - February 1st, 2026 [February 1st, 2026]
- analysis media and power Ellison, Trump and the TikTok deal in the USA With the takeover of control of TikTok in the USA, billionaire Larry Ellison's... - February 1st, 2026 [February 1st, 2026]
- Social media: I thought I was in control of the algorithm. Then came the dreams of blood-soaked streets - The Sydney Morning Herald - January 28th, 2026 [January 28th, 2026]
- CCM and UC Athletics partner on state-of-the-art live broadcast studio - uc.edu - January 28th, 2026 [January 28th, 2026]
- Following control of Syrian Interim Government | Internal Security arrests former media officials of SDF and former head of council - - January 28th, 2026 [January 28th, 2026]
- Media control, accused teacher and cancer incidence - Maldives Independent - January 26th, 2026 [January 26th, 2026]
- Filipinos trust media most in addressing flood control mess | The wRap - Rappler - January 14th, 2026 [January 14th, 2026]
- Survey: Filipinos trust media on flood control scandal amid doubts over justice system - Daily Tribune - January 14th, 2026 [January 14th, 2026]
- Social media are helping cults to recruit and control members - The Economist - January 9th, 2026 [January 9th, 2026]
- William has control of the media here's what's being hidden from us - The i Paper - December 31st, 2025 [December 31st, 2025]
- Information and State Control: Banning Social Media in South Asia - The London School of Economics and Political Science - December 27th, 2025 [December 27th, 2025]
- CBS and CNN Are Being Sacrificed to Trump - The Atlantic - December 25th, 2025 [December 25th, 2025]
- The Rich Control the Media: Whining Is Not a Strategy - cepr.net - December 22nd, 2025 [December 22nd, 2025]
- The UK needs some media free of US control: Comcasts move for ITV starts to focus minds - The Guardian - December 16th, 2025 [December 16th, 2025]
- Scotland Office in 'Pravda-style bid to control media' with order to journalists - TheNational.scot - December 12th, 2025 [December 12th, 2025]
- Is there an alternative to Big Techs control of the social media space? - LSE Review of Books - The London School of Economics and Political Science - December 12th, 2025 [December 12th, 2025]
- Media-Ownership Reforms Are Key to Limiting Network Control - TVTechnology - December 10th, 2025 [December 10th, 2025]
- As local media scrutiny withers, message control flourishes - bayobserver.ca - December 4th, 2025 [December 4th, 2025]
- Russia Boosts Propaganda Spending and Media Control in Occupied Regions 2026 - - December 2nd, 2025 [December 2nd, 2025]
- Creative Media Specializes in Lighting Control Installation in Alpharetta and Brookhaven, Georgia - Markets Financial Content - December 2nd, 2025 [December 2nd, 2025]
- Media: US plan suggests Russia will pay rent for control of Donbas - Apa.az - November 20th, 2025 [November 20th, 2025]
- Means of True Information Being Blocked: Sibal on 100th Episode of 'Dil Se' - The Quint - November 16th, 2025 [November 16th, 2025]
- Israel Approves First Reading of Death Penalty and Media Control Bills - ynews.digital - November 16th, 2025 [November 16th, 2025]
- Media Spinning Out of Control Again on Off-Year Elections - AMAC - November 16th, 2025 [November 16th, 2025]
- Netanyahu's Government Moves to Stifle Journalism and Take Control of the Israeli Media - Haaretz - November 7th, 2025 [November 7th, 2025]
- Media bill wont give government direct editorial control, but risks putting press in biased, moneyed hands - The Times of Israel - November 5th, 2025 [November 5th, 2025]
- Likud ministers contentious media regulation bill passes first reading in Knesset - The Times of Israel - November 5th, 2025 [November 5th, 2025]
- From CBS to TikTok, US media are falling to Trumps allies. This is how democracy crumbles | Owen Jones - The Guardian - October 31st, 2025 [October 31st, 2025]