Click Studios, the company behind the Passwordstate enterprise-grade password manager, has warned customers to patch a high-severity authentication bypass vulnerability as soon as possible.
Passwordstate works as a secure password vault that enables organizations to store, organize, and control access to passwords, API keys, certificates, and various other types of credentials via a centralized web interface.
Click Studios says its Passwordstate password manager is used by over 370,000 IT professionals working at 29,000 companies worldwide, including government agencies, financial institutions, global enterprises, and Fortune 500 companies across various industry sectors.
In a new announcement on the company’s official forum, Click Studios urged users to upgrade “as soon as possible” to Passwordstate 9.9 Build 9972, which was released earlier today with two security updates.
One of them is a high-severity security flaw (with no CVE ID) that allows attackers to use a carefully crafted URL against the core Passwordstate Products’ Emergency Access page to bypass authentication and gain access to the Passwordstate Administration section.
Although the company has not yet shared additional details publicly about this vulnerability, Click Studios has provided a workaround for those unable to upgrade immediately in emails sent to customers that BleepingComputer has seen.
“Click Studios has analysed the findings, tested and can confirm the vulnerability exists when a carefully crafted URL is input while on the Emergency Access webpage,” the company said.
“The only partial work around for this is to set the Emergency Access Allowed IP Address for your webserver under System Settings->Allowed IP Ranges. This is a short term partial fix and Click Studios strongly recommends that all customers upgrade to Passwordstate Build 9972 as soon as possible.”
Four years ago, Click Studios also notified customers that attackers had successfully compromised the password manager’s update mechanism to deliver information-stealing malware known as Moserpass to an undisclosed number of users in April 2021.
Days later, the company confirmed that some of the infected customers “may have had their Passwordstate password records harvested” and that the rest of the users were also being targeted in phishing attacks with updated Moserpass malware.
At the time, Click Studios advised customers who were infected during the April 2021 supply chain attack to reset all passwords stored in their database.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Source link
