Skip to main content

Gallagher Command Centre EUVDEUVD-2026-31636

| CVE-2026-25193 HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-25 Gallagher GHSA-5p63-2cwc-2x43
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 09:23 vuln.today
Patch available
May 26, 2026 - 14:16 EUVD
CVE Published
May 25, 2026 - 05:28 nvd
HIGH 8.1

DescriptionCVE.org

Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted.

Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\Gallagher\Command Centre.

AnalysisAI

Credential exposure in Gallagher Command Centre Service installers writes Service Account credentials into installer log files under %programdata%\Gallagher\Command Centre, allowing a local low-privileged user who can read those logs to recover the configured Service Account password. The flaw (CWE-532) affects a broad set of Gallagher Command Centre components including Command Centre Server, Active Directory Sync, Entra ID Sync, Elevator Service, Middleware Framework and others, but only when the operator deviated from the default Network Service account during install. There is no public exploit identified at time of analysis and EPSS is 0.01%, but a successful read yields high-impact credential compromise of a privileged service identity.

Technical ContextAI

The root cause is CWE-532 (Insertion of Sensitive Information into Log File): the Gallagher installer routines for Command Centre Services persist the configured Service Account credential into plaintext installer logs on the local filesystem (typically %programdata%\Gallagher\Command Centre), a location whose ACLs commonly allow read access to authenticated local users. The CPE set shows the issue spans Gallagher's full Command Centre service ecosystem - the core Command Centre Server plus integration/sync services (Active Directory Sync, Entra ID Sync, Event Sync Utility, Cardholder Sync Utility, Okta Sync), operational services (Elevator Service, Diagnostics Service, Event Logger, Middleware Framework), and the Encoding Kiosk Application - indicating a shared installer/logging pattern across the product line. Because Command Centre is physical access control / security management software, the leaked Service Account is typically a Windows domain or local account with elevated rights to the Command Centre database and host, making this an identity-disclosure rather than a memory-corruption class issue.

RemediationAI

Vendor-released patches are available - upgrade each affected component to at least the fixed version listed in the Gallagher advisory (https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-25193): Command Centre Server 9.40.2575 (MR2), Active Directory Sync 9.10.05, Entra ID Sync 1.0.10 or 2.0.5, Okta Sync 9.40.05, Cardholder Sync Utility 9.30.104, Event Sync Utility 8.70.62, Event Logger 8.90.16, Diagnostics Service 2.0.9, Elevator Service 10.0.8, Middleware Framework 8.90.34, Encoding Kiosk Application 9.60.10, Papercut Interface Integration 9.60.02, Nexudus Integration 9.60.21, and SIP Integration 10.1.0. Because the credential may already have been written to disk by a prior install, also perform two remediation actions even after patching: rotate the custom Service Account password used during installation (the only way to invalidate any credential that was logged), and delete installer log files from %programdata%\Gallagher\Command Centre on every host where an affected installer was run; the trade-off is loss of historical install diagnostics, which is acceptable given the credential exposure. Deployments still using the default Network Service account are per vendor not impacted and need only patch to prevent the issue on future installs.

Share

EUVD-2026-31636 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy