CVE-2022-31485

Unauthenticated homepage note modification

Description

An unauthenticated attacker can send a specially crafted packets to update the “notes” section of the home page of the web interface. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.29.

Remediation

Solution:

  • Update to the latest version of firmware

Workaround:

  • Disable the controller's Web Server. When the controller is configured to disable web access, you cannot remotely login into the controller’s web page. 1. Login to controller web pages 2. Go to “Users” Tab 3. Near bottom of the Users page, check option to “Disable Web Server” 4. Then select “Submit” at the bottom of the page 5. Then select “Apply Settings” tab 6. And on that page, select button “Apply Settings, Reboot” The Controller will apply the new setting and reboot. Web login will be disabled until switch 1 is physically turned ON, on the controller.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.20%
Vendor Advisory carrier.com
Affected: LenelS2 LNL-X2210
Affected: LenelS2 LNL-X2220
Affected: LenelS2 LNL-X3300
Affected: LenelS2 LNL-X4420
Affected: LenelS2 LNL-4420
Affected: LenelS2 S2-LP-1501
Affected: LenelS2 S2-LP-1502
Affected: LenelS2 S2-LP-2500
Affected: LenelS2 S2-LP-4502
Affected: HID Mercury LP1501
Affected: HID Mercury LP1502
Affected: HID Mercury LP2500
Affected: HID Mercury LP4502
Affected: HID Mercury EP4502
Published at:
Updated at:

References

Link Tags
https://www.corporate.carrier.com/product-security/advisories-resources/ vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-31485?
CVE-2022-31485 has been scored as a medium severity vulnerability.
How to fix CVE-2022-31485?
To fix CVE-2022-31485: Update to the latest version of firmware
Is CVE-2022-31485 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-31485 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-31485?
CVE-2022-31485 affects LenelS2 LNL-X2210, LenelS2 LNL-X2220, LenelS2 LNL-X3300, LenelS2 LNL-X4420, LenelS2 LNL-4420, LenelS2 S2-LP-1501, LenelS2 S2-LP-1502, LenelS2 S2-LP-2500, LenelS2 S2-LP-4502, HID Mercury LP1501, HID Mercury LP1502, HID Mercury LP2500, HID Mercury LP4502, HID Mercury EP4502.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.