CVE-2026-25193 PUBLISHED

Assigner: Gallagher
Reserved: 01.03.2026 Published: 25.05.2026 Updated: 25.05.2026

Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure.  Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted.

Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\Gallagher\Command Centre.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H
CVSS Score: 8.1

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Gallagher
Product	Command Centre Server
Versions	Default: unaffected affected from 9.40 to 9.40.2575 (MR2) (excl.)

Vendor	Gallagher
Product	Active Directory Sync
Versions	Default: affected affected from 0 to 9.10.05 (excl.)

Vendor	Gallagher
Product	Cardholder Sync Utility
Versions	Default: affected affected from 0 to 9.30.104 (excl.)

Vendor	Gallagher
Product	Diagnostics Service
Versions	Default: affected affected from 0 to 2.0.9 (excl.)

Vendor	Gallagher
Product	Elevator Service
Versions	Default: affected affected from 0 to 10.0.8 (excl.)

Vendor	Gallagher
Product	Encoding Kiosk Application
Versions	Default: affected affected from 0 to 9.60.10 (excl.)

Vendor	Gallagher
Product	Entra ID Sync
Versions	Default: unaffected affected from 1.0 to 1.0.10 (excl.) affected from 2.0 to 2.0.5 (excl.)

Vendor	Gallagher
Product	Event Sync Utility
Versions	Default: affected affected from 0 to 8.70.62 (excl.)

Vendor	Gallagher
Product	Event Logger
Versions	Default: affected affected from 0 to 8.90.16 (excl.)

Vendor	Gallagher
Product	Middleware Framework
Versions	Default: affected affected from 0 to 8.90.34 (excl.)

Vendor	Gallagher
Product	Nexudus Integration
Versions	Default: affected affected from 0 to 9.60.21 (excl.)

Vendor	Gallagher
Product	Okta Sync
Versions	Default: affected affected from 0 to 9.40.05 (excl.)

Vendor	Gallagher
Product	Papercut Interface Integration
Versions	Default: affected affected from 0 to 9.60.02 (excl.)

Vendor	Gallagher
Product	SIP Integration
Versions	Default: affected affected from 0 to 10.1.0 (excl.)

References

https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-25193

Problem Types

CWE-532 Insertion of sensitive information into log file CWE