CVE-2026-20801: Gallagher VMS Information Disclosure Flaw

CVE-2026-20801 Overview

CVE-2026-20801 is a Cleartext Transmission of Sensitive Information vulnerability (CWE-319) affecting Gallagher VMS integrations. The flaw exists in a component used in both Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations, allowing unprivileged users with local network access to intercept and view live video streams transmitted over the network without encryption.

This vulnerability represents a significant security risk for organizations relying on these video management systems for physical security surveillance, as it enables passive network eavesdropping to capture sensitive video footage.

Critical Impact

Unprivileged users on the local network can intercept and view live video surveillance streams due to cleartext transmission, potentially compromising physical security operations and exposing sensitive monitored areas.

Affected Products

• Gallagher NxWitness VMS integration (all versions prior to 9.10.017)
• Gallagher Hanwha VMS integration (all versions prior to 9.10.025)

Discovery Timeline

• 2026-03-03 - CVE CVE-2026-20801 published to NVD
• 2026-03-03 - Last updated in NVD database

Technical Details for CVE-2026-20801

Vulnerability Analysis

This vulnerability stems from the transmission of video stream data without proper encryption over the network. The affected VMS integration components fail to implement secure communication protocols when transmitting live video feeds between system components. This architectural weakness allows any user with access to the local network segment to passively capture network traffic and reconstruct video streams being transmitted in cleartext.

The vulnerability requires network access but no special privileges or user interaction to exploit. An attacker positioned on the same network segment can use standard network analysis tools to capture and view the unencrypted video traffic, effectively bypassing any access controls implemented at the application level.

Root Cause

The root cause of CVE-2026-20801 is the use of unencrypted communication protocols for transmitting sensitive video stream data. The affected component in both Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations does not enforce TLS/SSL encryption for video stream transmission, leaving the data vulnerable to interception. This represents a failure to implement defense-in-depth principles where sensitive data should always be encrypted in transit regardless of the network environment.

Attack Vector

The attack vector is network-based, requiring the attacker to have access to the local network where the VMS components communicate. The exploitation scenario involves:

1. An attacker gains access to the local network (either as an insider or through network compromise)
2. The attacker deploys network sniffing tools to capture traffic on the network segment
3. Video stream data transmitted in cleartext is captured
4. The attacker reconstructs and views the live video feeds without authentication

The vulnerability can be exploited passively without sending any malicious traffic, making detection particularly challenging. Standard packet capture tools can be used to intercept the cleartext video streams transmitted between VMS components.

Detection Methods for CVE-2026-20801

Indicators of Compromise

• Unusual network traffic capture activities on network segments where VMS components operate
• Presence of network sniffing tools or promiscuous mode network interfaces on systems within the VMS network segment
• Unexpected ARP traffic patterns that may indicate network reconnaissance
• Unauthorized devices connected to network segments carrying VMS traffic

Detection Strategies

• Monitor for promiscuous mode being enabled on network interfaces within the VMS network segment
• Implement network traffic analysis to detect unauthorized packet capture activities
• Deploy network access control (NAC) to prevent unauthorized devices from joining VMS network segments
• Use intrusion detection systems to identify suspicious network reconnaissance behavior

Monitoring Recommendations

• Enable logging and monitoring on network switches to detect spanning port configurations or traffic mirroring
• Implement port security on switches to limit which devices can connect to VMS network segments
• Monitor for new or unauthorized devices appearing on network segments used by VMS components
• Review access logs for VMS systems to identify potential unauthorized access attempts

How to Mitigate CVE-2026-20801

Immediate Actions Required

• Upgrade Gallagher NxWitness VMS integration to version 9.10.017 or later
• Upgrade Gallagher Hanwha VMS integration to version 9.10.025 or later
• Isolate VMS components on dedicated network segments with strict access controls
• Implement network segmentation to limit exposure of VMS traffic to authorized systems only

Patch Information

Gallagher has released security updates to address this vulnerability. Organizations should upgrade to the following minimum versions:

• Gallagher NxWitness VMS integration: Version 9.10.017 or later
• Gallagher Hanwha VMS integration: Version 9.10.025 or later

For detailed patch information and download links, refer to the Gallagher Security Advisory for CVE-2026-20801.

Workarounds

• Implement network segmentation using VLANs to isolate VMS traffic from general network access
• Deploy encrypted network tunnels (VPN or IPsec) between VMS components if patches cannot be immediately applied
• Restrict physical and logical access to network segments carrying VMS traffic
• Enable port security and MAC address filtering on network switches to prevent unauthorized device connections

# Example network segmentation configuration
# Create dedicated VLAN for VMS components
vlan 100
  name VMS_SECURE_SEGMENT
# Apply access control to restrict traffic
interface vlan 100
  ip access-group VMS_RESTRICTED in