CVE-2026-25193
CVE-2026-25193 Publication- Service Account Password
Severity: High CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H
Components affected:
|
Command Centre Server vEL9.40 |
Fixed in 9.40.2575 (MR2) |
|
Active Directory Sync |
Fixed in 9.10.05 |
|
Cardholder Sync Utility |
Fixed in 9.30.104 |
|
Diagnostics Service |
Fixed in 2.0.9 |
|
Elevator Service |
Fixed in 10.0.8 |
|
Encoding Kiosk Application |
Fixed in 9.60.10 |
|
Entra ID Sync v1 |
Fixed in v1.0.10 |
|
Entra ID Sync v2 |
Fixed in 2.0.5 |
|
Event Sync Utility |
Fixed in 8.70.62 |
|
Gallagher Event Logger |
Fixed in 8.90.16 |
|
Middleware Framework |
Fixed in 8.90.34 |
|
Nexudus Integration |
Fixed in 9.60.21 |
|
Okta Sync |
Fixed in 9.40.05 |
|
Papercut Interface Integration |
Fixed in 9.60.02 |
|
SIP Integration |
Fixed in 10.1.0 |
Reported by: Gallagher Internal
Active exploitation of vulnerability*: No
Description of vulnerability: Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure.
Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted.
Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\Gallagher\Command Centre.
*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.
Stay up to date with Gallagher
Get the latest Gallagher news, updates, and event information delivered straight to your inbox.