Critical Vulnerability in Netwrix Password Manager Enables Authenticated Remote Code Execution

A critical security vulnerability has been discovered in Netwrix Password Secure, a widely used enterprise password management solution, potentially allowing authenticated attackers to execute remote code on other users’ systems.

Identified in versions up to 9.2.2, including the specific build 9.2.0.32454 for both client (PSC) and server (PSS) components, this flaw poses a significant risk to organizations relying on the software for secure credential management.

The vulnerability, disclosed by security researchers from 8com on May 22, 2025, stems from a flaw in the application’s document-sharing functionality, which can be exploited to run malicious payloads under certain conditions.

Severe Security Flaw Uncovered

According to the Report, The issue lies in how Netwrix Password Secure handles document links shared among users.

During an in-depth analysis, researchers discovered that the application’s DocumentsHelper class contains a method called OpenInDefaultProgram, which executes files using the default program associated with their extension via a ProcessFileInfo object.

While the software enforces a whitelist of allowed file types (such as PDF, DOCX, and PNG) during initial uploads to prevent direct uploads of executable files like .exe, a bypass was found when modifying existing document links.

The application checks only the DocumentType attribute against the whitelist during updates, leaving the DocumentPath attribute containing the actual file path unverified.

This oversight allows attackers to alter the path to point to an executable, such as PowerShell.exe on a local Windows system, while maintaining a benign file type in the system’s metadata.

Netwrix Responds with Patch in Latest Versions

Exploitation becomes particularly dangerous due to the DocumentParams attribute, which permits the inclusion of parameters passed to the executing program without additional validation.

By setting a malicious payload (like launching the Windows Calculator as a proof of concept) in this field and redirecting the file path to PowerShell.exe, researchers successfully executed arbitrary code when a targeted user double-clicked the tampered document link.

This attack requires user interaction and authenticated access, but it can be executed discreetly, especially through shared links or desktop shortcuts that obscure the malicious file path from the victim.

An alternative scenario involves pointing to executables on accessible network shares, though the local PowerShell exploit was deemed more practical.

Netwrix was promptly informed of the vulnerability on January 28, 2025, by the 8com team, who provided a proof of concept the following day.

After confirmation on February 11, 2025, and subsequent coordination, Netwrix released a fix in versions above 9.2.2. An official advisory (ADV-2025-009) was published on April 1, 2025, detailing the issue and urging users to update immediately.

Organizations using affected versions are strongly advised to patch their systems to mitigate the risk of authenticated remote code execution, which could lead to unauthorized access or data breaches within enterprise environments.

This incident underscores the importance of rigorous input validation and secure file-handling mechanisms in software designed to protect sensitive information.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!