ADV-2025-004 - Use of Hard-coded Encryption Key in Netwrix GroupID

Products Directory Manager Security Advisories
1

Executive Summary

During the investigation of an incident involving an expired certificate causing outages affecting GroupID version 10 deployments, Netwrix determined that a critical severity hard-coded encryption key vulnerability exists in the implementation of authentication token signing in GroupID 8.0 and later. This vulnerability may allow an attacker to forge authentication tokens thereby gaining administrative access to GroupID, and with this access to any identity store integrated with GroupID. An attacker may be able to obtain the highest possible access level in those identity stores, for example Domain Administrator in Active Directory.

Netwrix is unaware of any evidence of active exploitation of this vulnerability.

Vulnerability

Title Affected Component Affected Versions CVSS 4.0 Score CVSS 3.1 Score (Base / Temporal) Description
Use of Hard-coded Encryption Key Netwrix GroupID >= 8.0 10.0 10.0 / 8.7 Netwrix GroupID includes a hard-coded encryption key. The nature of this key, in that it is used to sign (prove authenticity) of authentication tokens, creates a serious condition where an adversary may be able to use this known key to forge authentication tokens that appear valid to the application. These forged tokens permit an adversary to specify their permissions or impersonate any existing user, therefore compromising the confidentiality, integrity, and availability of Netwrix GroupID.

Furthermore, because Netwrix GroupID possesses privileged access to any identity store integrated with Netwrix GroupID, including but not limited to Active Directory, Entra ID and Google Workspace, the adversary can leverage their administrative access to Netwrix GroupID to obtain administrative access in the identity store.

Exploitability

Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.

Title Publicly known? Exploit available? Actively exploited?
Use of Hard-coded Encryption Key No No No

Solution

Netwrix has released standalone utilities for all supported versions of GroupID. This utility will replace the hard-coded encryption with a key that is generated for each deployment and assist with updating scheduled job authentication tokens.

All GroupID customers, including those conducting new installations, are advised to download and run the tool for their applicable version without delay.

Downloads:

Instructions on how to run the utility, securely distribute the replacement encryption key in scaled out scenarios, as well as rotate scheduled job authentication credentials, are available at the links above.

Please contact the Netwrix technical support team should you need assistance.

FAQ

  1. How do I determine the current version of Netwrix GroupID?

    If you are operating Netwrix GroupID v10, the version number is displayed in the Netwrix GroupID MMC Help tab and in the footer of the Netwrix GroupID Self Service or Password Center Portals.

    If you are operating Netwrix GroupID v11, the version number is displayed in the profile drop down in the Netwrix GroupID Admin Center and Portal.

Revisions

Updates to this advisory may be made as necessary. Information about each change will be published in the table below.

Revision Date Description
1 2025-02-20T14:00:00Z First published

Disclaimer

The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.