A essential safety vulnerability has been found in Netwrix Password Safe, an enterprise password administration resolution, permitting authenticated attackers to execute arbitrary code on sufferer machines.
The vulnerability, recognized as CVE-2025-26817, impacts all variations of Netwrix Password Safe as much as model 9.2.2, exposing organizations that haven’t up to date to the newest launch.
The flaw resides within the doc sharing performance of the password supervisor, which is designed to securely share passwords, keys, and different delicate info between customers inside a company.
The vulnerability exploits a flaw in how the password supervisor validates file sorts when updating present doc hyperlinks.
Whereas the applying implements protecting measures throughout preliminary doc uploads by limiting file sorts to a whitelist, these safety checks might be bypassed when modifying present doc hyperlinks.
An authenticated attacker can manipulate doc properties to vary the file path to level to an executable file whereas sustaining the unique doc kind within the system.
8 COM safety researchers recognized this vulnerability throughout a complete safety evaluation of the password administration platform.
Their investigation revealed that the applying fails to confirm the entire doc path when updating doc properties, focusing solely on the DocumentType attribute and neglecting to validate adjustments to the DocumentPath attribute.
Paperwork tab in addition to the Passwords tab (Supply – 8 COM)
“Password managers are thought of one of the crucial safe methods to maintain passwords secure,” famous the researchers of their technical report.
“Nonetheless, this vulnerability demonstrates how even security-focused purposes can comprise essential flaws of their implementation.”
The vulnerability is especially regarding as password managers are particularly designed to boost organizational safety, making this a case of safety software program probably changing into an assault vector.
The exploit leverages a design oversight within the doc sharing performance. When a doc hyperlink is initially created, the applying correctly validates the file extension in opposition to a whitelist.
Nonetheless, when modifying an present doc hyperlink, solely the DocumentType attribute is checked whereas adjustments to the DocumentPath attribute are utilized with out additional validation.
Exploitation Particulars
The exploitation course of begins with an attacker making a official doc hyperlink utilizing an allowed file kind, corresponding to a PDF.
After the doc is saved to the database, the attacker modifies the DocumentPath attribute to level to PowerShell.exe whereas leaving the DocumentType unchanged as “pdf”.
The vulnerability lies within the VerifyCorrectDocumentType methodology:-
public void UpdateContainerFileHandle(MtoContainer container, Guid fileHandle)
{
this.VerifyCorrectDocumentType(container);
utilizing (RightManager rm = new RightManager(base.CurrentConnection))
{
rm.VerifyObjectRight(container.Id, Rights.RightWrite, true);
}
}
This methodology solely checks the DocumentType attribute however fails to validate the DocumentPath. The DocumentParams attribute can be manipulated to incorporate PowerShell instructions:
currendContainer.TimeStampUtc = container.TimeStampUtc;
currendContainer.DocumentPath = container.DocumentPath;
currendContainer.DocumentType = container.DocumentType;
currendContainer.DocumentSize = container.DocumentSize;
currendContainer.DocumentMeta = container.DocumentMeta;
currendContainer.DocumentParams = container.DocumentParams;
currendContainer.DocumentCacheDeleteTime = container.DocumentCacheDeleteTime;
currendContainer.EntityState = MtoEntityState.Modified;
When a sufferer consumer opens the shared doc hyperlink, the system executes PowerShell with the attacker-controlled parameters reasonably than opening the anticipated PDF file.
Exploitation (Supply – 8 COM)
Exploitation permits for distant code execution within the context of the sufferer’s consumer account. Netwrix has launched fixes in variations above 9.2.2, and customers are strongly suggested to replace instantly.
The vulnerability was responsibly disclosed following a coordinated timeline, with preliminary contact made on January 28, 2025, and public disclosure occurring on Might 22, 2025, after remediation was accessible.
Equip your SOC staff with deep menace evaluation for quicker response -> Get Further 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
