HIGHCVE-2026-25193Published Modified CNA Gallagher
CVE-2026-25193: Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure
Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted. Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\Gallagher\Command Centre.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- 1.0.10
- Affected Products
- 14
Fix available
1.0.102.0.52.0.98.70.628.90.168.90.349.10.059.30.1049.40.2575 (MR2)9.40.059.60.029.60.109.60.2110.0.810.1.0
Affected packages
- Gallagher / Command Centre Server< 9.40.2575 (MR2) (from 9.40)
- Gallagher / Active Directory Sync< 9.10.05 (from 0)
- Gallagher / Cardholder Sync Utility< 9.30.104 (from 0)
- Gallagher / Diagnostics Service< 2.0.9 (from 0)
- Gallagher / Elevator Service< 10.0.8 (from 0)
- Gallagher / Encoding Kiosk Application< 9.60.10 (from 0)
- Gallagher / Entra ID Sync< 1.0.10 (from 1.0) · < 2.0.5 (from 2.0)
- Gallagher / Event Sync Utility< 8.70.62 (from 0)
- Gallagher / Event Logger< 8.90.16 (from 0)
- Gallagher / Middleware Framework< 8.90.34 (from 0)
- Gallagher / Nexudus Integration< 9.60.21 (from 0)
- Gallagher / Okta Sync< 9.40.05 (from 0)
- Gallagher / Papercut Interface Integration< 9.60.02 (from 0)
- Gallagher / SIP Integration< 10.1.0 (from 0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:HReferences