Multiple zero-day vulnerabilities discovered by tenable research in building access technology

Tenable, the Cyber Exposure company, have announced that Tenable Research has discovered several zero-day vulnerabilities in the PremiSys access control system developed by IDenticard. When exploited, the most severe vulnerability would give an attacker unfettered access to the badge system database, allowing him/her to covertly enter buildings by creating fraudulent badges and disabling building locks. According to its website, IDenticard has tens of thousands of customers around the world, including Fortune 500 companies, K-12 schools, universities, medical centres and government agencies.

Today’s modern enterprise has an extremely complex digital infrastructure comprised of both traditional and modern assets — from workstations and on-premises servers to building security systems and smart devices. This level of complexity has made it increasingly difficult for security teams to establish secure networks in dynamic enterprise environments. The PremiSys zero-days are a stark reminder that the mass adoption of emerging technologies has quickly blurred the lines between physical and digital security. This discovery comes just a few months after Tenable Research found another zero-day flaw — dubbed Peekaboo — in global video surveillance software.

PremiSys technology allows customers to grant and restrict access to doors, lockdown facilities and view integrated video. Once exploited, the most severe flaw would give cybercriminals administrator access to the entire badge system database via the PremiSys Windows Communication Foundation (WCF) service endpoint. Using the administrator privileges, attackers can perform a variety of actions like downloading the full contents of the system database, modifying its contents or deleting users.

“The digital era has brought the cyber and physical worlds together thanks, in part, to the adoption of IoT. An organization’s security purview is no longer confined by a firewall, subnets, or physical perimeter — it’s now boundary less. This makes it critically important for security teams to have complete visibility into where they are exposed and to what extent,” said Renaud Deraison, co-founder and chief technology officer, Tenable.

“Unfortunately, many manufacturers in the new world of IoT don’t always understand the risks of unpatched software, leaving consumers and enterprises vulnerable to a cyber attack. In this case, organizations that use PremiSys for access control are at a huge risk as patches are not available. Beyond this particular issue, the security industry needs to have a wider dialogue about embedded systems and their maintainability over time.

“The complexity of the digital infrastructure is increasing, and so is its maintenance. We need vendors to be committed to delivering security patches in a timely manner, and in a fully automated way. Tenable Research is committed to cooperating with willing vendors on coordinated disclosures to help ensure consumers and organizations alike are secure. Industry collaboration is key to helping customers manage, measure and reduce their exposure.”

Tenable Research disclosed the vulnerabilities (CVE-2019-3906, CVE-2019-3907, CVE-2019-3908, CVE-2019-3909), which affect version 3.1.190, to IDenticard following standard procedures outlined in its vulnerability disclosure policy. The team made multiple attempts to contact the vendor. On November 19, Tenable informed CERT of the vulnerability. To reduce the risk of compromise, users should segment their network to ensure systems like PremiSys are isolated from internal and external threats as much as possible.

www.tenable.com

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

ASSA ABLOY - securitybuyer.com

BG100 Speedgate Recognised with Red Dot Award

Combining an Aesthetically Appealing Design, Function and Innovation, the BG100 Speedgate Sets New Benchmark for …
Product Spotlight - Videx - securitybuyer.com

Product Spotlight – Era Series

VIDEX presents its new series of outdoor compact video door entry systems, Era Series, and showcases their durability, configuration…
Milestone - SecurityBuyer

Milestone Systems updates across XProtect, BriefCam, Arcules

Milestone Systems today announced updates across its complete security technology portfolio with releases for XProtect
ASSA ABLOY SMARTair - Security Buyer

More flexible management of Gen-Z student accommodation

Almost everyone attending university for the first time is now a digital native. They expect the convenience…
ICT - securitybuyer

ICT announces Martin Vermaak as COO

Integrated Control Technology (ICT), a leading provider of intelligent access control, intrusion detection, building automation..
SB Awards register now advert - Security Buyer

Launching Security Buyer Awards

Honouring innovation, leadership, and success across the global security industry at the Security Buyer Judges’ and Readers’ Awards 2025 
Product Spotlight - HID

Product Spotlight – HID

Access control is evolving into a smart, responsive platform—integrating embedded apps, IoT, and cybersecurity to deliver…
ICT

ICT announces Stewart Meyer as Chief Marketing Officer

Integrated Control Technology (ICT®), a leading provider of intelligent access control, intrusion detection, building automation and…
ASSA ABLOY Opening Solutions

Digitalising access and optimising workflows

Digitalization is high on the agenda, or well under-way, in all kinds of commercial environments. As part of this process…
TDSi

TDSi Launches UK GARDiS Installer Training

Integrated Access Control and Security manufacturer TDSi announces that it is offering a free Training Kit to individuals taking part…
Scroll to Top