CVE-2022-31486
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary shell commands on HID Mercury Intelligent Controllers by sending specially crafted routes to the edit_route.cgi binary. It affects LP1501, LP1502, LP2500, LP4502, and EP4502 controllers with outdated firmware. Successful exploitation enables attackers to monitor communications, modify device configurations, and potentially cause system instability.
💻 Affected Systems
- HID Mercury Intelligent Controller LP1501
- HID Mercury Intelligent Controller LP1502
- HID Mercury Intelligent Controller LP2500
- HID Mercury Intelligent Controller LP4502
- HID Mercury Intelligent Controller EP4502
📦 What is this software?
Ep4502 Firmware by Hidglobal
Lp1501 Firmware by Hidglobal
Lp1502 Firmware by Hidglobal
Lp2500 Firmware by Hidglobal
Lp4502 Firmware by Hidglobal
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to monitor all communications, modify relays and configurations, install persistent backdoors, and potentially pivot to other network systems.
Likely Case
Attackers with authenticated access gain command execution to modify device configurations, disrupt operations, and monitor sensitive access control communications.
If Mitigated
With proper network segmentation and access controls, impact is limited to the isolated controller device without lateral movement opportunities.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is in a CGI binary that processes route data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: LP series: firmware version 1.303 or later, EP series: firmware version 1.297 or later
Vendor Advisory: https://www.corporate.carrier.com/product-security/advisories-resources/
Restart Required: Yes
Instructions:
1. Download the appropriate firmware update from HID/Carrier support portal. 2. Backup current configuration. 3. Upload firmware via web interface. 4. Apply update and restart device. 5. Verify firmware version after reboot.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected controllers in separate VLANs with strict firewall rules limiting access to authorized management systems only.
Access Control Hardening
allImplement strong authentication mechanisms, change default credentials, and restrict administrative access to specific IP addresses.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate controllers from critical networks
- Enforce strong authentication policies and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or CLI. For LP series, verify version is below 1.303. For EP series, verify version is below 1.297.Check Version:
Check via web interface at System > Firmware or use device-specific CLI commands if available.Verify Fix Applied:
After patching, confirm firmware version meets minimum requirements: LP series >= 1.303, EP series >= 1.297.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to edit_route.cgi
- Multiple failed authentication attempts followed by successful login
- Unexpected configuration changes or system reboots
Network Indicators:
- Unusual outbound connections from controller devices
- Traffic patterns inconsistent with normal operation
SIEM Query:
source="controller_logs" AND (uri="/cgi-bin/edit_route.cgi" OR event="configuration_change")