Tenable Research discovered four zero-day vulnerabilities in PremiSys access control system from IDenticard (PremiSys IDenticard). The first, a hardcoded backdoor account, “allows attackers to add new users to the badge system, modify existing users, delete users, assign permission, and pretty much any other administrative function.”
The ability to “give an attacker unfettered access to the badge system database, allowing him/her to covertly enter buildings by creating fraudulent badges and disabling building locks” is troubling considering tens of thousands of customers, ranging from K-12 schools, universities, government agencies, medical centers, and Fortune 500 companies, rely on IDenticard for secure key card access.
