Description
EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.
Published: 2026-02-24
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover and privilege escalation via unchecked password changes
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows an authenticated user to change the password for any account without providing the current password, which violates principle of credential validation. This flaw is captured by CWE‑620 and effectively lets an attacker take over a target account after briefly gaining a valid session. The impact includes permanent credential compromise and, if an administrative account is affected, potential escalation of privileges.

Affected Systems

This flaw affects the EventSentry product from NETIKUS.NET ltd. Versions prior to 6.0.1.20 are vulnerable, so all installations running earlier builds are impacted.

Risk and Exploitability

The severity score of 8.6 indicates a high‑level threat, but the exploitation probability according to EPSS is very low (< 1%). The vulnerability is not currently listed in CISA’s KEV catalog, suggesting no confirmed widespread exploitation at this time. The likely attack path involves an attacker who has temporary authenticated access to the system, such as through session hijacking or using a legitimate user’s browser. Once temporary access is secured, the attacker can change the password and lock out the legitimate owner, resulting in persistent account takeover.

Generated by OpenCVE AI on April 17, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch by upgrading to EventSentry 6.0.1.20 or later.
  • If an upgrade cannot be performed immediately, restrict or disable the Web Reports interface for all non‑admin users, or block the relevant services until the patch is applied.
  • Force a password reset for all accounts, particularly administrators, and enable multi‑factor authentication to guard against session hijacking and credential compromise.

Generated by OpenCVE AI on April 17, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:netikus:eventsentry:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Netikus
Netikus eventsentry
Vendors & Products Netikus
Netikus eventsentry

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.
Title EventSentry < 6.0.1.20 Web Reports Unverified Password Change
Weaknesses CWE-620
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Netikus Eventsentry
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:09:41.146Z

Reserved: 2026-01-22T20:23:19.804Z

Link: CVE-2026-24443

cve-icon Vulnrichment

Updated: 2026-02-24T21:40:44.239Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T21:16:29.293

Modified: 2026-02-26T03:00:27.553

Link: CVE-2026-24443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses