JustAppSec
Back to news

LogonTracer authenticated command injection gives shell access

2 min readPublished 27 Apr 2026Updated 27 Apr 2026Source: CVEProject (cvelistV5)
CVE-2026-33277NewsSecurity ToolingCommand Injection

TL;DR - LogonTracer < 2.0.0: a logged-in user can run arbitrary OS commands on the server. If you run LogonTracer as a shared or internal service, treat any unpatched instance as potentially compromised and update to 2.0.0 immediately.

What happened

LogonTracer is a Windows event-log analysis tool used by defenders to investigate suspicious logon activity by visualising and correlating Windows event data.

CVE-2026-33277 is an OS command injection flaw (CWE-78). Any authenticated user can trigger arbitrary command execution on the host. That is the entire attack chain - credentials in, shell out.

ItemDetail
Affected productLogonTracer
Affected versionsprior to v2.0.0
Patched versionv2.0.0
CVSS v4.0 score8.7 (High)
CVSS v4.0 vectorCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS v3.0 score8.8 (High)
CVSS v3.0 vectorCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

This is the worst kind of command injection: low-privilege access is all it takes. In any shared deployment - analyst teams, SOC tooling, internal security infrastructure - a single compromised account becomes a server-level foothold. And because LogonTracer hosts typically sit close to sensitive forensic data and domain-adjacent systems, the blast radius extends well beyond the tool itself.

Who is impacted

  • Any deployment running LogonTracer versions prior to v2.0.0.
  • Highest risk: instances reachable over a network, or shared deployments where multiple users can authenticate - more accounts means more attack surface for credential compromise.
  • Environments where the LogonTracer host has access to event-log archives, domain credentials, or adjacent internal services.

What to do now

  • Update to LogonTracer v2.0.0 - the vendor-confirmed fix.

    "Update the software to the latest version. The developer has released the following version to address these vulnerabilities: LogonTracer v2.0.0"

  • Inventory every place LogonTracer is running - VMs, containers, analyst workstations - and confirm nothing is on a version < 2.0.0.
  • Reduce exposure while you patch:
    • restrict network access to the LogonTracer UI and API using VPN or allowlists
    • disable or remove dormant user accounts
  • If you suspect compromise, treat the host as potentially owned:
    • review authentication logs for unexpected or anomalous logins
    • examine process execution telemetry on the LogonTracer host for suspicious child processes
    • rotate all credentials accessible from that host

Related

Research

Training

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.