CVE-2026-25193 - Vulnerability Details - OpenCVE

Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure.  Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted. Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\Gallagher\Command Centre.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-25193

History

Mon, 25 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
Title		Sensitive Information Disclosure via Installer Log Files in Gallagher Command Centre Services

Mon, 25 May 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure.  Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted. Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\Gallagher\Command Centre.
Weaknesses		CWE-532
References		https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-25193
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Gallagher

Published: 2026-05-25T05:28:14.766Z

Updated: 2026-05-25T05:28:14.766Z

Reserved: 2026-03-01T23:45:09.705Z

Link: CVE-2026-25193

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-25T07:30:19Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25193", "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "state": "PUBLISHED", "assignerShortName": "Gallagher", "dateReserved": "2026-03-01T23:45:09.705Z", "datePublished": "2026-05-25T05:28:14.766Z", "dateUpdated": "2026-05-25T05:28:14.766Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher", "dateUpdated": "2026-05-25T05:28:14.766Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-532", "description": "CWE-532 Insertion of sensitive information into log file", "type": "CWE"}]}], "affected": [{"vendor": "Gallagher", "product": "Command Centre Server", "versions": [{"status": "affected", "version": "9.40", "lessThan": "9.40.2575 (MR2)", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Gallagher", "product": "Active Directory Sync", "versions": [{"status": "affected", "version": "0", "lessThan": "9.10.05", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "Cardholder Sync Utility", "versions": [{"status": "affected", "version": "0", "lessThan": "9.30.104", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "Diagnostics Service", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.9", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "Elevator Service", "versions": [{"status": "affected", "version": "0", "lessThan": "10.0.8", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "Encoding Kiosk Application", "versions": [{"status": "affected", "version": "0", "lessThan": "9.60.10", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "Entra ID Sync", "versions": [{"status": "affected", "version": "1.0", "lessThan": "1.0.10", "versionType": "custom"}, {"status": "affected", "version": "2.0", "lessThan": "2.0.5", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Gallagher", "product": "Event Sync Utility", "versions": [{"status": "affected", "version": "0", "lessThan": "8.70.62", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "Event Logger", "versions": [{"status": "affected", "version": "0", "lessThan": "8.90.16", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "Middleware Framework", "versions": [{"status": "affected", "version": "0", "lessThan": "8.90.34", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "Nexudus Integration", "versions": [{"status": "affected", "version": "0", "lessThan": "9.60.21", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "Okta Sync", "versions": [{"status": "affected", "version": "0", "lessThan": "9.40.05", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "Papercut Interface Integration", "versions": [{"status": "affected", "version": "0", "lessThan": "9.60.02", "versionType": "custom"}], "defaultStatus": "affected"}, {"vendor": "Gallagher", "product": "SIP Integration", "versions": [{"status": "affected", "version": "0", "lessThan": "10.1.0", "versionType": "custom"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information into Log File (CWE-532)\u00a0in some Command Centre Service installers could lead to Service Account credentials exposure.\u202f\nMitigating Factor:\u00a0Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted.\n\nMitigation:\u00a0For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\\Gallagher\\Command Centre.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure.\u202f<br><b>Mitigating Factor:</b> Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted.</p><div><b>Mitigation: </b>For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\\Gallagher\\Command Centre.</div>"}]}], "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-25193"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H"}}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}}}