CVE-2026-24443
Awaiting Analysis Awaiting Analysis - Queue
Unverified Password Change Vulnerability in EventSentry Web Reports

Publication date: 2026-02-24

Last updated on: 2026-02-26

Assigner: VulnCheck

Description
EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24443
EUVD
EUVD-2026-8560
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netikus eventsentry to 6.0.1.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-24443 is an unverified password change vulnerability in EventSentry versions prior to 6.0.1.20. The issue exists in the Web Reports interface's account management functionality, where the password change mechanism does not require validation of the current password before allowing a new password to be set."}, {'type': 'paragraph', 'content': 'An attacker who gains temporary access to an authenticated user session can change the account password without knowing the original credentials. This allows the attacker to take over the account persistently.'}, {'type': 'paragraph', 'content': 'If administrative accounts are affected, this vulnerability may lead to privilege escalation.'}] [2]

Impact Analysis

This vulnerability can allow an attacker with temporary access to an authenticated session to change the account password without knowing the original password.

As a result, the attacker can gain persistent control over the compromised account.

If the compromised account has administrative privileges, the attacker may escalate their privileges, potentially gaining full control over the system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade EventSentry to version 6.0.1.20 or later, as versions prior to this contain the unverified password change flaw.

Additionally, restrict access to the Web Reports interface to trusted users only and monitor authenticated sessions closely to prevent unauthorized password changes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24443. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart