Description
Improper Locking vulnerability (CWE-667) in Gallagher Morpho integration allows a privileged operator to cause a limited denial-of-service in the Command Centre Server.



This issue affects Command Centre Server:

9.40 prior to vEL9.40.1976(MR1), 9.30 prior to vEL9.30.3382 (MR4), 9.20 prior to vEL9.20.3783 (MR6), 9.10 prior to vEL9.10.4647 (MR9), all versions of 9.00 and prior.
Published: 2026-03-03
Score: 2.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Limited Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper locking issue (CWE‑667) in the Gallagher Morpho integration. If exploited by a privileged operator, it allows the operator to trigger a lock that can cause a temporary interruption in service of the Command Centre Server. The impact is therefore a limited denial‑of‑service rather than a broad compromise of confidentiality or integrity.

Affected Systems

Gallagher Command Centre Server versions are affected: any release from 9.00 onward up to but not including vEL9.40.1976 (MR1), vEL9.30.3382 (MR4), vEL9.20.3783 (MR6), vEL9.10.4647 (MR9) and all earlier 9.40, 9.30, 9.20, 9.10, and 9.00 series. All versions older than vEL9.40.1976 are vulnerable.

Risk and Exploitability

The CVSS score of 2.5 indicates a low severity for this denial‑of‑service exploit, and the EPSS score of less than 1% suggests a very low probability of active exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, involving a privileged operator who has direct access to the Command Centre Server. There are no publicly known mitigations besides applying an update; the vendor does not provide a formal workaround.

Generated by OpenCVE AI on April 16, 2026 at 14:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Gallagher Command Centre Server update that contains the fix for the improper locking bug
  • Revoke or restrict privileged operator accounts that could trigger the issue from executing actions that involve Morpho integration
  • Continuously monitor system performance and logs for lock contention or repetitive denial‑of‑service symptoms to detect any remaining exploitation attempts

Generated by OpenCVE AI on April 16, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Improper Locking in Gallagher Morpho Integration Causes Limited Denial-of-Service

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Gallagher
Gallagher command Centre
Vendors & Products Gallagher
Gallagher command Centre

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Improper Locking vulnerability (CWE-667) in Gallagher Morpho integration allows a privileged operator to cause a limited denial-of-service in the Command Centre Server. This issue affects Command Centre Server: 9.40 prior to vEL9.40.1976(MR1), 9.30 prior to vEL9.30.3382 (MR4), 9.20 prior to vEL9.20.3783 (MR6), 9.10 prior to vEL9.10.4647 (MR9), all versions of 9.00 and prior.
Weaknesses CWE-667
References
Metrics cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Gallagher Command Centre
cve-icon MITRE

Status: PUBLISHED

Assigner: Gallagher

Published:

Updated: 2026-03-03T15:43:33.823Z

Reserved: 2026-03-01T23:45:09.766Z

Link: CVE-2026-20757

cve-icon Vulnrichment

Updated: 2026-03-03T15:42:59.785Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-03T03:15:54.377

Modified: 2026-03-03T21:52:29.877

Link: CVE-2026-20757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:15:28Z

Weaknesses