Skip to main content

LogonTracer EUVDEUVD-2026-25741

| CVE-2026-33277 HIGH
OS Command Injection (CWE-78)
2026-04-27 jpcert
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 00:29 vuln.today
CVSS changed
Apr 27, 2026 - 00:22 NVD
8.8 (HIGH) 8.7 (HIGH)
EUVD ID Assigned
Apr 27, 2026 - 00:15 euvd
EUVD-2026-25741
Analysis Generated
Apr 27, 2026 - 00:15 vuln.today
CVE Published
Apr 27, 2026 - 00:03 nvd
HIGH 8.7

DescriptionCVE.org

An OS command Injection issue exists in LogonTracer prior to v2.0.0. An arbitrary OS command may be executed by a logged-in user.

AnalysisAI

Command injection in LogonTracer versions prior to 2.0.0 allows authenticated users to execute arbitrary OS commands on the server. LogonTracer, a JPCERT/CC-developed log analysis tool for investigating lateral movement in Windows Active Directory environments, contains an insufficiently sanitized input handler that permits shell command injection. Authentication is required (PR:L), but once logged in, attackers can achieve complete system compromise with high confidentiality, integrity, and availability impact (VC:H/VI:H/VA:H). No active exploitation confirmed at time of analysis, though the CVSS 4.0 score of 8.7 and low attack complexity (AC:L) indicate significant risk for organizations running vulnerable versions.

Technical ContextAI

LogonTracer is a Python-based web application developed by JPCERT/CC for visualizing Windows Active Directory logon events to detect lateral movement during security incidents. The vulnerability is rooted in CWE-78 (OS Command Injection), where user-supplied input from authenticated sessions is passed to system shell commands without proper sanitization or escaping. The affected component (cpe:2.3:a:japan_computer_emergency_response_team_coordination_center_(jpcert/cc):logontracer:*:*:*:*:*:*:*:*) suggests all versions prior to v2.0.0 are vulnerable. Command injection flaws typically occur when applications use functions like os.system(), subprocess.call(), or eval() with untrusted input, allowing attackers to break out of intended command structure using shell metacharacters (semicolons, pipes, backticks). The CVSS 4.0 vector indicates network-accessible exploitation (AV:N) with no additional attack complexity beyond authentication (AT:N), meaning standard HTTP/HTTPS access to the LogonTracer web interface suffices once credentials are obtained.

RemediationAI

Upgrade LogonTracer to version 2.0.0 or later, which addresses the command injection vulnerability according to JPCERT/CC's security advisory at https://www.jpcert.or.jp/press/2026/PR20260423.html. Organizations should obtain the patched release from the official JPCERT/CC LogonTracer repository and follow the vendor's upgrade procedures, ensuring proper testing in non-production environments before deploying to production incident response systems. If immediate patching is not feasible, implement the following compensating controls with noted trade-offs: (1) Restrict network access to the LogonTracer web interface to a minimal set of trusted IP addresses using firewall rules or reverse proxy ACLs (reduces attack surface but does not prevent insider threats or attacks from compromised analyst workstations), (2) Implement application-layer authentication using strong multi-factor authentication and role-based access controls to limit the number of users with LogonTracer login credentials (reduces probability of credential compromise but does not eliminate risk from legitimate authenticated users), (3) Deploy the LogonTracer instance in an isolated network segment with egress filtering to prevent command execution from establishing outbound connections (limits post-exploitation impact but may interfere with legitimate tool functionality requiring external connectivity). These mitigations are temporary risk reductions only; upgrading to v2.0.0 remains the only complete remediation. Review application logs for suspicious command patterns or unexpected process executions during the vulnerable period to identify potential historical compromise.

Share

EUVD-2026-25741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy