Click Studios, the Australia-based maker of Passwordstate, issued a patch after identifying a high-severity vulnerability that could allow attackers to bypass authentication and reach Passwordstate’s Emergency Access page, potentially enabling access to the administration area of the vaults. The vulnerability can be exploited by crafting a URL that leads to the emergency access interface, from which an attacker could pivot to the Passwordstate administration section, the company said.
The company noted that the vulnerability currently has no assigned CVE identifier. Security teams are advised to monitor for any updates from the vendor as more details become available.
Passwordstate is marketed as an enterprise-grade password manager used to safeguard privileged credentials. The product is deployed by about 29,000 customers and 370,000 security professionals and can integrate with Active Directory, support password resets, event auditing, and remote session logins.
On Thursday, Click Studios told customers it had released an update patching two vulnerabilities. The disclosure included a description of the authentication bypass issue and linked to a forum post announcing Passwordstate build 9972 and its fixes, as well as a security advisory detailing the fixes.
Users and administrators are urged to apply the update promptly, given the high severity and potential risk to organizations’ most privileged credentials.