gallagher-command-centre-logs-expose-service-account-credentials

Gallagher Command Centre installer left service account credentials in %programdata% logs, high-severity information security flaw

What happened

The Gallagher Command Centre installer, according to the advisory, can write service account credentials into installer log files, usually found under %programdata%\Gallagher\Command Centre.

The issue is tracked as CVE-2026-25193, rated 8.1 (HIGH). The vendor notes the exposure affects sites that install Command Centre Services with a custom Service Account, not the default Network Service account.

The recommended immediate mitigation is simple, and has been stated: change the Service Account password and delete any installer log files. The advisory does not disclose when the issue was first discovered or whether a patch is already available.

Why this matters to businesses

Service account credentials are the sort of keys that quietly let software do its job, until they don’t. If those credentials show up in a log file, attackers with access to servers or backups can pick them up and move from one system to another.

For organisations using Gallagher Command Centre, that means customers, partners and suppliers could be affected if attackers use exposed credentials to escalate access or extract data. Regulators will want to know about inadequate credential handling, and boards will want answers about detection and response times.

Also, if your teams treat service accounts as invisible, shared or eternal, this incident will sting worse than it should, because attackers love credentials that have been ignored.

If you’ve got the same weakness, here’s what happens next

Given exposed service account credentials, attackers can do a handful of useful things, none of them nice. They can authenticate to services that trust the account, persist quietly and widen access without needing new exploits.

Following that, you can expect hours of incident calls, forensic work, potentially halted services while passwords are rotated, and costs for recovery and customer notification. If persistent access went undetected, data access or operational disruption is possible, depending on what that service account could reach.

What to do on Monday morning

Don’t panic, act fast. Here are targeted steps to reduce risk and get control.

• Rotate passwords for any custom Service Accounts used by Gallagher Command Centre, and treat rotation as mandatory, not optional.
• Locate and securely delete installer log files, especially under %programdata%\Gallagher\Command Centre, then confirm secure backups don’t retain them.
• Check who has filesystem and backup access to those installer logs, and tighten permissions to the minimum needed.
• Search logs and backups for signs of access to those files, and review authentication logs for unusual use of the service accounts.
• Ask your vendor (Gallagher) for official guidance or patches, and prioritise any vendor updates or hotfixes when available.
• Ensure service accounts run with least privilege, and where possible replace long-lived shared accounts with managed secrets (vault) and short-lived credentials.
• Test recovery and restore processes for systems that rely on those service accounts, so password rotation doesn’t trigger unexpected outages.

Where ISO standards fit, without the sales pitch

An ISO 27001-aligned system helps here by making you inventory and control accounts and secrets before they bite you, and you can read more about the standard and practical steps at Synergos on ISO 27001.

When you worry about continuity while rotating credentials or rebuilding systems, basics from ISO 22301 will stop a password rotation turning into an outage, see ISO 22301 guidance.

For baseline certifications and supplier checks that force you to prove those controls actually exist, look at IASME-style baseline approaches, which are practical for small and medium suppliers who tend to be weak links.

Put simply, the standards make the boring things compulsory, like account inventories, access reviews, and supplier assurance, so you don’t end up scrambling after a credential leak.

Heads up, this is fixable work, but it’s the kind of fix that rewards the organised rather than the lucky.