CVE-2024-47254 2N CVE debrief

Who should care

Organizations using 2N Access Commander for physical access control, particularly in critical infrastructure, government facilities, healthcare, and enterprise environments. Security teams managing ICS/OT networks, system administrators responsible for access control infrastructure, and compliance officers concerned with physical security system integrity should prioritize this update.

Technical summary

CVE-2024-47254 is an insufficient verification of data authenticity vulnerability in 2N Access Commander versions 3.1.1.2 and prior. The flaw allows an attacker to escalate privileges and gain root access to the system. The CVSS 3.1 score of 6.3 (MEDIUM) reflects high attack complexity with adjacent network access, high privileges, and user interaction required, but complete system compromise (C:H/I:H/A:H) if exploited. The vulnerability was initially disclosed on November 14, 2024, with Update A released February 11, 2025. 2N has provided version 3.3 as a remediation. This affects physical access control systems, making prompt patching critical for organizational security.

Defensive priority

high

Recommended defensive actions

• Update 2N Access Commander to version 3.3 immediately from the 2N download center
• Review and apply ICS security best practices for network segmentation and access control
• Monitor for unauthorized privilege escalation attempts on Access Commander systems
• Verify integrity of downloaded firmware before installation
• Restrict network access to Access Commander management interfaces to authorized personnel only

Evidence notes

CISA ICS advisory ICSA-24-319-17 (Update A) confirms 2N Access Commander versions 3.1.1.2 and prior are affected. CVSS 3.1 score of 6.3 (MEDIUM) with vector AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H. Vendor fix available: Access Commander version 3.3.

Official resources