Skip to main content

Genetec Security Center CVE-2026-40619

| EUVDEUVD-2026-33946 HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2026-06-02 Genetec GHSA-pc23-4mq4-c95v
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 16:01 vuln.today

DescriptionCVE.org

A high security vulnerability affecting Security Center main server installations has been identified. It could allow an attacker with local OS privileges to the main server to access the Server Admin credentials. A third party hired by Genetec found the issue. There is currently no evidence of active exploitation.

This vulnerability is associated with specific installation package builds rather than the product version identifier alone. Certain versions (including 5.10.4.0, 5.11.3.0, 5.12.2.0 and 5.13.3.0) were released with both vulnerable and remediated installation packages under the same version number.

Consequently, version-based comparison alone is insufficient to determine exposure. Only installations performed using vulnerable builds are affected. Remediated builds can be distinguished using verified installation package hashes. For the complete list of fixed build hashes, refer to the security advisory section.

AnalysisAI

Local credential exposure in Genetec Security Center main server installations allows an attacker with local OS privileges on the main server host to retrieve Server Admin credentials, enabling escalation to full Security Center administrative control. The flaw is tied to specific vulnerable installer builds rather than version numbers, meaning hosts running 5.10.4.0, 5.11.3.0, 5.12.2.0 or 5.13.3.0 may or may not be vulnerable depending on the installation package hash. No public exploit identified at time of analysis and no evidence of active exploitation per the vendor advisory.

Technical ContextAI

Genetec Security Center is a unified physical security platform combining video surveillance, access control, and license plate recognition; the Server Admin role governs configuration of the main server backend. The CWE-532 classification (Insertion of Sensitive Information into Log File) indicates the Server Admin credentials are written by certain installer builds into a location readable by local OS principals - typically logs, installer artifacts, or configuration files left behind with overly permissive ACLs. Per CPE cpe:2.3:a:genetec_inc.:genetec_security_center:*, the affected scope is the Security Center server-side product rather than client SDK or mobile components, and exposure is determined by the installer package hash actually executed on each host, not the displayed product version.

RemediationAI

Patch available per vendor advisory: Genetec has released remediated installation packages for 5.10.4.0, 5.11.3.0, 5.12.2.0 and 5.13.3.0, and operators must verify which installer was used on each main server by comparing the on-host installer package hash against the fixed-build hashes listed in the Genetec advisory at https://resources.genetec.com/security-advisories/vulnerability-affecting-security-center-systems-main-server-installations, then reinstall or upgrade using a confirmed remediated build where the hash does not match. Because Server Admin credentials may already be exposed on the local host, after remediation rotate the Server Admin password and any reused service credentials, and review access logs for anomalous Server Admin authentication. As a compensating control until installer hashes can be verified, tightly restrict interactive and remote logon to main server hosts (RDP, local console, file shares) to a minimal set of vetted administrators and apply file-system ACL hardening on Security Center program data and log directories - the trade-off is added operational friction for legitimate ops staff and potential disruption to backup or monitoring agents that read those directories.

Share

CVE-2026-40619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy