Click Studios, the company behind the Passwordstate enterprise password manager, has warned customers to urgently apply a patch to fix a critical authentication bypass vulnerability.
Passwordstate functions as a secure password vault, enabling organizations to store, organize, and control access to passwords, API keys, certificates, and other types of credentials through a centralized web interface.
Among other things, the product integrates with Active Directory, and it can also be used for password resets, event auditing, and logging into remote sessions.
According to Click Studios, its password manager is used by more than 370,000 IT professionals working at 29,000 companies around the world, including government agencies, financial institutions, international enterprises, and Fortune 500 companies.
A warning was posted on the company’s official forum, in which Click Studios urged all users to update Passwordstate to version 9.9 Build 9972 as soon as possible, which was released at the end of last week.
The new version contains two patches, one of which fixes a critical vulnerability (no CVE identifier has been assigned yet). The issue allows attackers to use a specially crafted URL to bypass authentication on the Emergency Access page of the core Passwordstate products and subsequently gain access to the administrative section.
So far, the company is not disclosing any details about this vulnerability.
The publication Bleeping Computer reports that Click Studios has privately offered customers a temporary workaround in case they cannot install the updated version immediately.
“The only temporary protective measure is to set an allowed Emergency Access IP address for your web server under System Settings->Allowed IP Ranges. This is a short-term partial fix, and Click Studios strongly recommends that all customers upgrade to Passwordstate Build 9972 as soon as possible,” the company said.
It’s worth noting that in 2021 Click Studios’ customers had already experienced security issues. At that time, the company fell victim to a cyberattack, during which attackers distributed a malicious Passwordstate update to users, infecting their machines with the Moserware malware. Moreover, shortly after this breach, affected Passwordstate users became targets for phishers.
Â