CVE-2026-24443
Published: 24 February 2026
Summary
CVE-2026-24443 is a high-severity Unverified Password Change (CWE-620) vulnerability in Netikus Eventsentry. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates secure authenticator management procedures, including verification during password changes to prevent unauthorized modifications without knowledge of current credentials.
IA-11 requires re-authentication for privileged functions like password changes, blocking exploitation even if an attacker gains temporary session access.
AC-2 enforces account management practices including auditing and user notifications for changes, enabling detection and response to unauthorized password modifications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unverified password change in authenticated web session directly enables unauthorized modification of account credentials for persistent takeover (T1098 Account Manipulation).
NVD Description
EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be…
more
set. An attacker who gains temporary access to an authenticated user session can change the account password without knowledge of the original credentials. This enables persistent account takeover and, if administrative accounts are affected, may result in privilege escalation.
Deeper analysisAI
CVE-2026-24443 is an unverified password change vulnerability affecting EventSentry versions prior to 6.0.1.20, specifically in the account management functionality of the Web Reports interface. The flaw stems from the password change mechanism not requiring validation of the current password, allowing a new password to be set without knowledge of the original credentials. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-620.
An attacker who gains temporary access to any authenticated user session in the Web Reports interface can exploit this vulnerability to change the targeted account's password. This results in persistent account takeover, enabling ongoing unauthorized access. If the compromised account has administrative privileges, the attacker may achieve privilege escalation, potentially leading to full system compromise given the high confidentiality, integrity, and availability impacts.
Advisories recommend upgrading to EventSentry version 6.0.1.20 or later, as indicated in the vendor's version history at https://www.eventsentry.com/downloads/version-history. Additional details on the vulnerability and exploitation are available in the VulnCheck advisory at https://www.vulncheck.com/advisories/eventsentry-web-reports-unverified-password-change.
Details
- CWE(s)