CVE-2026-25193

HIGH

Gallagher Command Centre Server - Insertion of Sensitive Information into Log File

Title source: rule

Description

Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure.  Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted. Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\Gallagher\Command Centre.

References (1)

Core 1

Core References

https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-25193

Scores

CVSS v3 8.1

EPSS 0.0013

EPSS Percentile 3.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (15)

Gallagher/Active Directory Sync < 9.10.05

Gallagher/Cardholder Sync Utility < 9.30.104

Gallagher/Command Centre Server 9.40 - 9.40.2575 (MR2)

Gallagher/Diagnostics Service < 2.0.9

Gallagher/Elevator Service < 10.0.8

Gallagher/Encoding Kiosk Application < 9.60.10

Gallagher/Entra ID Sync 1.0 - 1.0.10

Gallagher/Entra ID Sync 2.0 - 2.0.5

Gallagher/Event Logger < 8.90.16

Gallagher/Event Sync Utility < 8.70.62

... and 5 more

Published May 25, 2026

Tracked Since May 25, 2026