Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
An OS command Injection issue exists in LogonTracer prior to v2.0.0. An arbitrary OS command may be executed by a logged-in user.
AnalysisAI
Command injection in LogonTracer versions prior to 2.0.0 allows authenticated users to execute arbitrary OS commands on the server. LogonTracer, a JPCERT/CC-developed log analysis tool for investigating lateral movement in Windows Active Directory environments, contains an insufficiently sanitized input handler that permits shell command injection. Authentication is required (PR:L), but once logged in, attackers can achieve complete system compromise with high confidentiality, integrity, and availability impact (VC:H/VI:H/VA:H). No active exploitation confirmed at time of analysis, though the CVSS 4.0 score of 8.7 and low attack complexity (AC:L) indicate significant risk for organizations running vulnerable versions.
Technical ContextAI
LogonTracer is a Python-based web application developed by JPCERT/CC for visualizing Windows Active Directory logon events to detect lateral movement during security incidents. The vulnerability is rooted in CWE-78 (OS Command Injection), where user-supplied input from authenticated sessions is passed to system shell commands without proper sanitization or escaping. The affected component (cpe:2.3:a:japan_computer_emergency_response_team_coordination_center_(jpcert/cc):logontracer:*:*:*:*:*:*:*:*) suggests all versions prior to v2.0.0 are vulnerable. Command injection flaws typically occur when applications use functions like os.system(), subprocess.call(), or eval() with untrusted input, allowing attackers to break out of intended command structure using shell metacharacters (semicolons, pipes, backticks). The CVSS 4.0 vector indicates network-accessible exploitation (AV:N) with no additional attack complexity beyond authentication (AT:N), meaning standard HTTP/HTTPS access to the LogonTracer web interface suffices once credentials are obtained.
RemediationAI
Upgrade LogonTracer to version 2.0.0 or later, which addresses the command injection vulnerability according to JPCERT/CC's security advisory at https://www.jpcert.or.jp/press/2026/PR20260423.html. Organizations should obtain the patched release from the official JPCERT/CC LogonTracer repository and follow the vendor's upgrade procedures, ensuring proper testing in non-production environments before deploying to production incident response systems. If immediate patching is not feasible, implement the following compensating controls with noted trade-offs: (1) Restrict network access to the LogonTracer web interface to a minimal set of trusted IP addresses using firewall rules or reverse proxy ACLs (reduces attack surface but does not prevent insider threats or attacks from compromised analyst workstations), (2) Implement application-layer authentication using strong multi-factor authentication and role-based access controls to limit the number of users with LogonTracer login credentials (reduces probability of credential compromise but does not eliminate risk from legitimate authenticated users), (3) Deploy the LogonTracer instance in an isolated network segment with egress filtering to prevent command execution from establishing outbound connections (limits post-exploitation impact but may interfere with legitimate tool functionality requiring external connectivity). These mitigations are temporary risk reductions only; upgrading to v2.0.0 remains the only complete remediation. Review application logs for suspicious command patterns or unexpected process executions during the vulnerable period to identify potential historical compromise.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25741