"The maker of Passwordstate, an enterprise-grade password manager for storing companies' most privileged credentials, is urging them to promptly install an update fixing a high-severity vulnerability that hackers can exploit to gain administrative access to their vaults. The authentication bypass allows hackers to create a URL that accesses an emergency access page for Passwordstate. From there, an attacker could pivot to the administrative section of the password manager."
"Click Studios, the Australia-based maker of Passwordstate, says the credential manager is used by 29,000 customers and 370,000 security professionals. The product is designed to safeguard organizations' most privileged and sensitive credentials. Among other things, it integrates into Active Directory, the service Windows network admins use to create, change, and modify user accounts. It can also be used for handling password resets, event auditing, and remote session logins."
Click Studios released an update for Passwordstate that patches two vulnerabilities, including a high-severity authentication bypass. The bypass enables an attacker to craft a URL that accesses Passwordstate's Emergency Access page and then pivot into the Administration section, potentially gaining administrative control of password vaults. Passwordstate is used by 29,000 customers and 370,000 security professionals to protect privileged and sensitive credentials and integrates with Active Directory for account management, password resets, auditing, and remote session logins. No CVE identifier has been issued yet. Customers are urged to install the update promptly to mitigate risk.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]