The maker of Passwordstate, an enterprise-grade password manager for storing firms’ most privileged credentials, is urging them to promptly install an update fixing a high-severity vulnerability that hackers can exploit to realize administrative access to their vaults.
The authentication bypass allows hackers to create a URL that accesses an emergency access page for Passwordstate. From there, an attacker could pivot to the executive section of the password manager. A CVE identifier isn’t yet available.
Safeguarding enterprises’ most privileged credentials
Click Studios, the Australia-based maker of Passwordstate, says the credential manager is utilized by 29,000 customers and 370,000 security professionals. The product is designed to safeguard organizations’ most privileged and sensitive credentials. Amongst other things, it integrates into Energetic Directory, the service Windows network admins use to create, change, and modify user accounts. It may possibly even be used for handling password resets, event auditing, and distant session logins.
On Thursday, Click Studios notified customers that it had released an update that patches two vulnerabilities.
The authentication bypass vulnerability is “related to accessing the core Passwordstate Products’ Emergency Access page, by utilizing a fastidiously crafted URL, which could allow access to the Passwordstate Administration section,” Click Studios said. The corporate said the severity level of the vulnerability was high.