HIGH 7.8

CVE-2026-40619: Genetec Security Center Admin Credential Disclosure (Build-Based Vulnerability)

A high-severity vulnerability in Genetec Security Center main server installations can allow an attacker who already has local access to the server's operating system to steal the Server Admin credentials. The unusual aspect of this vulnerability is that it affects specific installation builds rather than entire product versions—meaning two installations of the same version number could have different risk levels depending on which build was deployed. There is currently no public evidence that this flaw is being actively exploited in the wild.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-532
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A high security vulnerability affecting Security Center main server installations has been identified. It could allow an attacker with local OS privileges to the main server to access the Server Admin credentials. A third party hired by Genetec found the issue. There is currently no evidence of active exploitation. This vulnerability is associated with specific installation package builds rather than the product version identifier alone. Certain versions (including 5.10.4.0, 5.11.3.0, 5.12.2.0 and 5.13.3.0) were released with both vulnerable and remediated installation packages under the same version number. Consequently, version-based comparison alone is insufficient to determine exposure. Only installations performed using vulnerable builds are affected. Remediated builds can be distinguished using verified installation package hashes. For the complete list of fixed build hashes, refer to the security advisory section.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-40619 is a local privilege escalation and credential disclosure vulnerability in Genetec Security Center main server deployments. It stems from improper handling of sensitive credentials (CWE-532: Insertion of Sensitive Information into Log Files), allowing a local OS user to extract Server Admin credentials. The CVSS 3.1 score of 7.8 (HIGH) reflects the local attack vector requirement, but the high confidentiality and integrity impact from obtaining admin credentials. Crucially, the vulnerability exists in specific installation package builds rather than being tied uniformly to version numbers—versions 5.10.4.0, 5.11.3.0, 5.12.2.0, and 5.13.3.0 were released with both vulnerable and patched builds under the same version identifier. Remediated builds can be identified and verified using cryptographic hashes provided in Genetec's security advisory.

Business impact

Compromise of Server Admin credentials represents a critical business risk. An attacker gaining these credentials can assume full administrative control of the Security Center deployment, enabling unauthorized surveillance system manipulation, data exfiltration, system reconfiguration, or sabotage. For organizations relying on physical security operations and incident investigation, this could undermine the integrity of video evidence, audit trails, and access controls. The risk is especially acute in regulated environments (finance, healthcare, critical infrastructure) where security system integrity is mandated.

Affected systems

The vulnerability affects Genetec Security Center main server installations, but exposure cannot be determined by version number alone. Specifically, installations using vulnerable builds of versions 5.10.4.0, 5.11.3.0, 5.12.2.0, or 5.13.3.0 are at risk. Installations using remediated builds of these same versions, or other versions not listed, require assessment against the build hash list in Genetec's advisory. Organizations must verify their deployed build hashes rather than relying on version comparisons.

Exploitability

Exploitation requires local operating system access to the main server—an attacker cannot trigger this remotely. This constrains the attack surface to internal threats (malicious employees, lateral movement from a compromised system) or scenarios where physical access has already been achieved. The low complexity and lack of user interaction once local access is obtained make exploitation straightforward for any actor with OS-level privileges. The absence of current public exploit evidence suggests the vulnerability remains largely unknown, though this does not diminish the risk to affected installations.

Remediation

Organizations must move beyond version-based patching. The critical step is obtaining and deploying remediated installation packages for affected versions, which can be verified using cryptographic hashes provided by Genetec. For new deployments, ensure installation media is sourced from current, patched releases. For existing deployments, Genetec's security advisory will specify whether your installed build is vulnerable or already remediated. If vulnerable, a clean reinstallation or update to a remediated build is necessary. Additionally, implement compensating controls: restrict local OS access to the main server through role-based OS accounts, monitor credential stores and admin logs, and enforce multi-factor authentication for administrative functions where supported.

Patch guidance

Contact Genetec Support to obtain the official security advisory listing remediated build hashes for versions 5.10.4.0, 5.11.3.0, 5.12.2.0, and 5.13.3.0. Verify your current installation's package hash against the list of fixed hashes provided by Genetec. If your installation uses a vulnerable build, plan an update to a remediated build within your change management window. Test remediated builds in a non-production environment first to ensure compatibility with your deployment. For guidance on build identification and hash verification procedures, consult Genetec's technical documentation or contact their support team.

Detection guidance

Monitor Security Center main server systems for unauthorized attempts to access credential stores or configuration files containing Server Admin passwords. Enable OS-level auditing on the main server to log file access, registry modifications (if Windows-based), or credential store queries. Correlate these logs with authentication events to identify suspicious access patterns. Additionally, verify the installation package hash of your deployments against the remediated builds list as part of your vulnerability assessment process. Organizations without access to installation source packages can contact Genetec support for assistance in determining their build status.

Why prioritize this

This vulnerability merits high prioritization because (1) compromise of Server Admin credentials grants near-total control over physical security operations, (2) the local-only attack vector, while constraining exploitation, is highly relevant in environments with privileged users or where lateral movement occurs, (3) the unusual build-hash verification requirement means many organizations may be unaware of their actual exposure status, and (4) the absence of KEV designation and public exploits does not eliminate risk—it underscores the importance of proactive patching before threat actors develop and weaponize working exploits.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) appropriately reflects the severity: local access requirement (AV:L) limits the immediate attack surface but is not an unrealistic constraint in corporate environments; low complexity (AC:L) means straightforward exploitation once access is gained; and the high impact ratings for confidentiality, integrity, and availability stem from the ability to extract and abuse admin credentials, effectively compromising the entire security system. Organizations should treat this as a must-patch vulnerability, especially those with sophisticated insider-threat or lateral-movement risks.

Frequently asked questions

Why does version number alone not determine whether we're vulnerable?

Genetec released both vulnerable and patched installation packages under the same version numbers (5.10.4.0, 5.11.3.0, 5.12.2.0, 5.13.3.0). The build used at installation time determines exposure, not the version label. You must verify your installation's package hash against Genetec's list of remediated build hashes in their security advisory.

Can this vulnerability be exploited remotely?

No. The vulnerability requires local operating system privileges on the main server itself. Remote exploitation is not possible. However, local access can be achieved through employee accounts, compromised systems on the network, or physical access scenarios. Organizations should treat this as a risk factor if internal threat models include privileged user compromise or lateral movement.

What exactly can an attacker do if they obtain the Server Admin credentials?

Server Admin credentials grant administrative control over the entire Security Center deployment. An attacker could view and manipulate video feeds, alter audit logs, reconfigure access policies, export sensitive data, or disable security monitoring. This effectively compromises the integrity and availability of physical security operations.

Is this vulnerability currently being exploited in the wild?

There is no public evidence of active exploitation. However, the absence of known exploits does not eliminate risk. Proactive patching is essential before threat actors develop working proof-of-concept code. The vulnerability's relatively recent disclosure (June 2026) means threat intelligence is still evolving.

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. SEC.co does not warrant the accuracy or completeness of this assessment. Organizations must verify exposure using Genetec's official security advisory and build hash lists. Remediation guidance should be validated against your specific deployment architecture and tested in non-production environments before production deployment. Consult Genetec support for technical clarification, build verification assistance, or compatibility questions. This vulnerability intelligence does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).