CVE-2026-24443
Awaiting Analysis Awaiting Analysis - Queue

Unverified Password Change Vulnerability in EventSentry Web Reports

Vulnerability report for CVE-2026-24443, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-24

Last updated on: 2026-02-26

Assigner: VulnCheck

Description

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-24
Last Modified
2026-02-26
Generated
2026-07-06
AI Q&A
2026-02-24
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
netikus eventsentry to 6.0.1.20 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-24443 is an unverified password change vulnerability in EventSentry versions prior to 6.0.1.20. The issue exists in the Web Reports interface's account management functionality, where the password change mechanism does not require validation of the current password before allowing a new password to be set."}, {'type': 'paragraph', 'content': 'An attacker who gains temporary access to an authenticated user session can change the account password without knowing the original credentials. This allows the attacker to take over the account persistently.'}, {'type': 'paragraph', 'content': 'If administrative accounts are affected, this vulnerability may lead to privilege escalation.'}] [2]

Impact Analysis

This vulnerability can allow an attacker with temporary access to an authenticated session to change the account password without knowing the original password.

As a result, the attacker can gain persistent control over the compromised account.

If the compromised account has administrative privileges, the attacker may escalate their privileges, potentially gaining full control over the system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade EventSentry to version 6.0.1.20 or later, as versions prior to this contain the unverified password change flaw.

Additionally, restrict access to the Web Reports interface to trusted users only and monitor authenticated sessions closely to prevent unauthorized password changes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24443. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart