IDenticard PremiSys Access Control System Vulnerabilities Identified

ICS-CERT has published an advisory about three vulnerabilities with a high severity rating that are affecting the IDenticard PremiSys access control system. The vulnerabilities affect all versions of PremiSys software before version 4.1.

A malicious actor could successfully exploit the vulnerabilities and obtain full access to the system with admin privileges. That would allow theft of sensitive data stored in backups and access credentials. Remote exploitation of vulnerabilities is possible and even attackers with a low skill level could pull off a successful attack.

CVE-2019-3906 is the highest severity vulnerability with a CVSS v3 base score of 8.8. It involves hard-coded credentials and if exploited, would give the attacker full admin access to the PremiSys WCF Service endpoint.

CVE-2019-3907 is a vulnerability related to the method used to encrypt data. The flaw has been assigned a CVSS v3 base score of 7.5. The method used to encrypt data uses a weak algorithm which could be decrypted  to steal sensitive information.

CVE-2019-3908 is a vulnerability with a CVSS v3 base score of 7.5.  The system stores backup files as encrypted zip files; however a hard-coded password is included in the file and it is not possible to change the password. Exploitation of the vulnerability would allow an attacker to gain access to information stored in backups.

IDenticard has fixed the hard-coded credential vulnerability (CVE-2019-3906) in version 4.1 of its software. Users should update to version 4.1 as soon as possible. IDenticard expects to issue a new software version in February 2019 to address the other two vulnerabilities.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

As a temporary mitigation, NCCIC makes the following recommendations:

  • Users should restrict and monitor access to Port 9003/TCP
  • Locate the system behind a firewall
  • Ensure that the access control system is not accessible over the Internet.
  • In case remote access is required, use a VPN for access.
About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: