{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24443", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-22T20:23:19.804Z", "datePublished": "2026-02-24T20:14:44.688Z", "dateUpdated": "2026-05-14T02:09:41.146Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EventSentry", "vendor": "NETIKUS.NET ltd", "versions": [{"lessThan": "6.0.1.20", "status": "affected", "version": "0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:netikus:eventsentry:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.1.20"}]}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc."}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "EventSentry versions prior to 6.0.1.20&nbsp;contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation."}], "value": "EventSentry versions prior to 6.0.1.20\u00a0contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-620", "description": "CWE-620 Unverified Password Change", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:09:41.146Z"}, "references": [{"tags": ["release-notes", "patch"], "url": "https://www.eventsentry.com/downloads/version-history"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change"}], "source": {"discovery": "EXTERNAL"}, "title": "EventSentry < 6.0.1.20 Web Reports Unverified Password Change", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:40:31.199548Z", "id": "CVE-2026-24443", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:40:48.632Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24443", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T21:40:31.199548Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:40:44.239Z"}}], "cna": {"title": "EventSentry < 6.0.1.20 Web Reports Unverified Password Change", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc."}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NETIKUS.NET ltd", "product": "EventSentry", "versions": [{"status": "affected", "version": "0", "lessThan": "6.0.1.20", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.eventsentry.com/downloads/version-history", "tags": ["release-notes", "patch"]}, {"url": "https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "EventSentry versions prior to 6.0.1.20\u00a0contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.", "supportingMedia": [{"type": "text/html", "value": "EventSentry versions prior to 6.0.1.20&nbsp;contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-620", "description": "CWE-620 Unverified Password Change"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netikus:eventsentry:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.0.1.20"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:09:41.146Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24443", "state": "PUBLISHED", "dateUpdated": "2026-05-14T02:09:41.146Z", "dateReserved": "2026-01-22T20:23:19.804Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-24T20:14:44.688Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netikus:eventsentry:*:*:*:*:*:*:*:*", "matchCriteriaId": "658C31C0-7F16-4E68-92AA-B5FE24763167", "versionEndExcluding": "6.0.1.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EventSentry versions prior to 6.0.1.20\u00a0contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation."}], "id": "CVE-2026-24443", "lastModified": "2026-02-26T03:00:27.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-24T21:16:29.293", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://www.eventsentry.com/downloads/version-history"}, {"source": "disclosure@vulncheck.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-620"}], "source": "disclosure@vulncheck.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.0.1.20)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 90.0, "source": "matching"}]}, "original": {"product": "EventSentry", "source": "cna", "vendor": "NETIKUS.NET ltd"}, "product": "eventsentry", "vendor": "netikus"}], "analysis": {"en": {"generated_at": "2026-04-17T15:39:29.220762+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011released patch by upgrading to EventSentry\u202f6.0.1.20 or later.", "If an upgrade cannot be performed immediately, restrict or disable the Web Reports interface for all non\u2011admin users, or block the relevant services until the patch is applied.", "Force a password reset for all accounts, particularly administrators, and enable multi\u2011factor authentication to guard against session hijacking and credential compromise."], "summary": {"action": "Patch Immediately", "impact": "Account takeover and privilege escalation via unchecked password changes"}, "threat_synthesis": {"affected_systems": "This flaw affects the EventSentry product from NETIKUS.NET ltd. Versions prior to 6.0.1.20 are vulnerable, so all installations running earlier builds are impacted.", "description_and_impact": "The vulnerability allows an authenticated user to change the password for any account without providing the current password, which violates principle of credential validation. This flaw is captured by CWE\u2011620 and effectively lets an attacker take over a target account after briefly gaining a valid session. The impact includes permanent credential compromise and, if an administrative account is affected, potential escalation of privileges.", "risk_and_exploitability": "The severity score of 8.6 indicates a high\u2011level threat, but the exploitation probability according to EPSS is very low (< 1%). The vulnerability is not currently listed in CISA\u2019s KEV catalog, suggesting no confirmed widespread exploitation at this time. The likely attack path involves an attacker who has temporary authenticated access to the system, such as through session hijacking or using a legitimate user\u2019s browser. Once temporary access is secured, the attacker can change the password and lock out the legitimate owner, resulting in persistent account takeover."}}}}, "created": "2026-02-25T11:35:34.906095+00:00", "updated": "2026-04-17T15:45:15.900559+00:00", "vendors": ["netikus", "netikus$PRODUCT$eventsentry"]}