CVE-2026-24443
📋 TL;DR
EventSentry Web Reports interface versions before 6.0.1.20 contain an unverified password change vulnerability. Attackers with temporary access to an authenticated session can change account passwords without knowing the current password, leading to account takeover. This affects all EventSentry users with Web Reports enabled.
💻 Affected Systems
- EventSentry
📦 What is this software?
Eventsentry by Netikus
⚠️ Risk & Real-World Impact
Worst Case
Administrative account takeover leading to full system compromise, privilege escalation, and persistent access to the monitoring infrastructure.
Likely Case
User account takeover enabling unauthorized access to monitoring data, potential lateral movement within the network, and persistence through password changes.
If Mitigated
Limited to temporary session hijacking without persistent access if proper session management and monitoring are in place.
🎯 Exploit Status
Requires authenticated session access but is trivial to exploit once session is obtained; no special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.1.20
Vendor Advisory: https://www.eventsentry.com/downloads/version-history
Restart Required: Yes
Instructions:
1. Download EventSentry version 6.0.1.20 or later from the vendor website. 2. Run the installer to upgrade. 3. Restart the EventSentry service and any affected systems.
🔧 Temporary Workarounds
Disable Web Reports Interface
windowsTemporarily disable the vulnerable Web Reports component if patching is not immediately possible.
Stop the EventSentry Web Reports service via Windows Services manager or command: net stop "EventSentry Web Reports"
Restrict Network Access
allLimit access to the Web Reports interface to trusted IP addresses only using firewall rules.
Use Windows Firewall or network appliance to block external access to port used by Web Reports (default 443)
🧯 If You Can't Patch
- Implement strict session timeout policies (e.g., 15-minute inactivity limits) to reduce window for exploitation.
- Enable multi-factor authentication (MFA) for all accounts if supported, and monitor for unusual password change events in logs.
🔍 How to Verify
Check if Vulnerable:
Check EventSentry version in Web Reports interface under Help > About or via installed programs list; versions below 6.0.1.20 are vulnerable.Check Version:
In EventSentry Web Reports, navigate to Help > About to view version, or check installed programs in Windows Control Panel.Verify Fix Applied:
Confirm version is 6.0.1.20 or higher in the interface, and test that password changes now require current password validation.📡 Detection & Monitoring
Log Indicators:
- Unusual password change events in EventSentry logs, especially without prior authentication failures or from unexpected IP addresses.
- Multiple password change attempts within short timeframes for the same account.
Network Indicators:
- HTTP POST requests to password change endpoints without corresponding current password validation in traffic captures.
SIEM Query:
source="EventSentry" AND event_type="password_change" AND current_password_validation="missing"