CVE-2026-24443

EventSentry < 6.0.1.20 Web Reports Unverified Password Change

CVSS 8.6 HIGHEPSS 0.5%CWE-620

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.6EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

24 fev 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Produtos afetados

NETIKUS.NET ltd · EventSentry

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://www.eventsentry.com/downloads/version-history https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change