Urgent Patch: Critical Passwordstate Vulnerability Exposed
▼ Summary
– Passwordstate’s maker is urging customers to install an urgent update to fix a high-severity vulnerability that allows administrative access.
– The vulnerability is an authentication bypass enabling attackers to create a URL that accesses the emergency access page and then pivot to the admin section.
– Passwordstate is an enterprise-grade password manager used by 29,000 customers and 370,000 security professionals to safeguard privileged credentials.
– The product integrates with Active Directory and handles functions like password resets, event auditing, and remote session logins.
– Click Studios released an update patching two vulnerabilities, with the authentication bypass being specifically associated with crafted URL access to the emergency page.
Businesses relying on the Passwordstate enterprise password management solution should immediately apply a critical security update addressing a newly discovered high-severity vulnerability. This flaw could allow unauthorized individuals to bypass authentication and gain administrative control over the platform, potentially exposing highly sensitive organizational credentials.
The security weakness involves a carefully constructed URL that targets the system’s emergency access page. Attackers exploiting this flaw could then pivot directly into the administrative interface of the password manager, putting all stored credentials at significant risk. Although a CVE identifier has not yet been assigned, the urgency of the situation cannot be overstated.
Developed by Australian firm Click Studios, Passwordstate serves approximately 29,000 customers and 370,000 security professionals worldwide. The platform is specifically engineered to protect organizations’ most critical and confidential login information, including integration with Active Directory for streamlined user account management. Beyond credential storage, the tool supports essential functions like automated password resets, detailed event auditing, and secure remote session initiation.
In response to the discovery, Click Studios issued an alert to its user base on Thursday, emphasizing the release of an update designed to remediate this and an additional vulnerability. The company has classified the authentication bypass as high severity, urging all administrators to install the patch without delay to prevent potential exploitation.
(Source: Ars Technica)
