Cyber Resilience

CVE-2026-24443

HighPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 36.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24443 is a high-severity Unverified Password Change (CWE-620) vulnerability in Netikus Eventsentry. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-24443 is an unverified password change vulnerability affecting EventSentry versions prior to 6.0.1.20, specifically in the account management functionality of the Web Reports interface. The flaw stems from the password change mechanism not requiring validation of the current password, allowing a new password to be set without knowledge of the original credentials. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-620.

An attacker who gains temporary access to any authenticated user session in the Web Reports interface can exploit this vulnerability to change the targeted account's password. This results in persistent account takeover, enabling ongoing unauthorized access. If the compromised account has administrative privileges, the attacker may achieve privilege escalation, potentially leading to full system compromise given the high confidentiality, integrity, and availability impacts.

Advisories recommend upgrading to EventSentry version 6.0.1.20 or later, as indicated in the vendor's version history at https://www.eventsentry.com/downloads/version-history. Additional details on the vulnerability and exploitation are available in the VulnCheck advisory at https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be…

more

set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Unverified password change in authenticated web session directly enables unauthorized modification of account credentials for persistent takeover (T1098 Account Manipulation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-9431Shared CWE-620
CVE-2026-24440Shared CWE-620
CVE-2026-27757Shared CWE-620
CVE-2026-40588Shared CWE-620
CVE-2025-1107Shared CWE-620
CVE-2026-42084Shared CWE-620
CVE-2024-45647Shared CWE-620
CVE-2024-13375Shared CWE-620
CVE-2024-12860Shared CWE-620
CVE-2026-30458Shared CWE-620

Affected Assets

netikus
eventsentry
≤ 6.0.1.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates secure authenticator management procedures, including verification during password changes to prevent unauthorized modifications without knowledge of current credentials.

prevent

IA-11 requires re-authentication for privileged functions like password changes, blocking exploitation even if an attacker gains temporary session access.

preventdetect

AC-2 enforces account management practices including auditing and user notifications for changes, enabling detection and response to unauthorized password modifications.

References