The developer behind Passwordstate—an enterprise-grade password manager used to secure organizations’ most sensitive credentials—is urging customers to immediately apply a newly released update that addresses a high-severity flaw. The vulnerability allows attackers to bypass authentication and potentially obtain administrative control over protected vaults.
The flaw enables an attacker to craft a specific URL that grants access to Passwordstate’s emergency access page. From there, a threat actor could escalate privileges and move into the administrative interface of the platform. A CVE identifier has not yet been assigned for the issue.
Protecting organizations’ most sensitive credentials
Click Studios, the Australia-based company behind Passwordstate, reports that the platform is used by 29,000 customers and 370,000 security professionals worldwide. Passwordstate is specifically built to safeguard critical enterprise credentials, offering features such as integration with Active Directory, password rotation and reset functionality, event auditing, and secure remote session logins.
On Thursday, Click Studios announced the rollout of an update that fixes two security vulnerabilities affecting Passwordstate.
According to the company, the authentication bypass flaw is “associated with accessing the core Passwordstate products’ Emergency Access page using a carefully crafted URL, which could allow access to the Passwordstate Administration section.” Click Studios classified the vulnerability as high severity. More details were published in its security advisory.