CVE-2026-24443 HIGH

CVE-2026-24443: EventSentry < 6.0.1.20 Web Reports Unverified Password Change

Vendor Netikus.net Ltd
Product EventSentry
Weakness CWE-620 · Unverified password change
Published February 24, 2026
Last update May 14, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.

Key dates

02Disclosure timeline

February 24, 2026 CVE published
May 14, 2026 Record updated