Executive Summary
Netwrix strongly advises customers review this advisory and take the recommended actions without delay.
In Netwrix Directory Manager (formerly Imanami GroupID) v10 and earlier, a hard-coded password was used by the product, which could be used to authenticate as an administrator to the Windows server on which Netwrix Directory Manager is installed or to the product itself. Beginning in v9, this hard-coded password was replaced with customer-supplied credentials. However, this hard-coded user was not removed from the Netwrix Directory Manager installer and thus persists on the Windows server. Conditions may also exist where customers who upgraded from an earlier version of Netwrix Directory Manager to v10 could continue to use the hard-coded password for the Netwrix Directory Manager product.
Vulnerability
Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
---|---|---|---|---|---|
Hard-coded Password in Netwrix Directory Manager (CVE-2025-48748) | Netwrix Directory Manager | <=10.0.7784.0 | 10.0 | 10.0 / 9.0 | Netwrix Directory Manager v10 and earlier include a hard-coded password, which may be used to authenticate as an administrator to the Windows server on which Netwrix Directory Manager is installed or the product itself. Though this password is no longer used beginning in Netwrix Directory Manager v9, the user persisted on the Windows server, and conditions may exist where Netwrix Directory Manager v9 and v10 still utilize the credential. This credential may allow an attacker with the ability to communicate over any network on which Netwrix Directory Manager is accessible to compromise Netwrix Directory Manager and any integrated Identity Stores. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.
Title | Publicly known? | Exploit available? | Actively exploited? |
---|---|---|---|
Hard-coded Password in Netwrix Directory Manager (CVE-2025-48748) | No | No | No |
Solution
All customers are advised to disable internet access to Netwrix Directory Manager until such time as the actions recommended in this advisory are taken.
Customers running a version of Netwrix Directory Manager earlier than v10 SR2 (10.0.7784.0) are advised to update to the latest release of v10, as prior versions are no longer supported.
All customers running v10 SR2 (10.0.7784.0) and earlier are advised to examine the Microsoft Internet Information Services (IIS) Application Pools for the use of the GroupIDSSUser
as the Application Pool Identity.
Netwrix has published instructions for manually assessing whether a vulnerable condition is present and remediating it, and a utility for aiding this assessment.
If the GroupIDSSUser
is determined to be used to run any IIS Application Pool, Netwrix advises customers to create a new service account within their control and update the Application Pool Identity for each Application Pool to this user. The GroupIDSSUser
local Windows account should then be deleted.
Additionally, this tool will apply an IIS IP Security Rule to internal Netwrix Directory Manager services, which will prevent remote access to them. This may affect customers who use the Netwrix Directory Manager Admin Center MMC or PowerShell interface externally. Netwrix advises customers to operate these utilities from the Netwrix Directory Manager server.
Please contact the Netwrix technical support team should you need assistance.
FAQ
-
How do I determine which version of Netwrix Directory Manager is in use?
Please refer to this knowledge base article, page 17, which shows how the version information can be determined.
-
What should I do if I have an Netwrix Directory Manager deployment exposed to the internet?
In this advisory, we advise customers to remove their Netwrix Directory Manager deployment from the internet until such time as the update has been applied. We also recommend that you contact Netwrix technical support to review best practices for internet-facing deployments.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
Revision | Date | Description |
---|---|---|
2 | 2025-05-28T12:00:00Z | Add assigned CVE |
1 | 2025-05-14T18:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.