Executive Summary
Netwrix strongly advises customers review this advisory and take the recommended actions without delay.
Several vulnerabilities, some of critical severity, were discovered in Netwrix Directory Manager (formerly Imanami GroupID) v11, which if left unaddressed pose a significant risk to customers. While Netwrix is unaware of any current exploitation of these vulnerabilities, this risk is created by the ease of discovery and exploitation, the impact of successful exploitation, and the fact that some Netwrix Directory Manager deployments are exposed to the internet. The vulnerabilities may permit an attacker with the ability to communicate over any network on which Netwrix Directory Manager is accessible to compromise Netwrix Directory Manager and any integrated Identity Stores.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Use of Hard-coded Password in Netwrix Directory Manager v11 (CVE-2025-47748) | Netwrix Directory Manager | >=11.0.0.0 <11.1.25134.03 | 10.0 | 10.0 / 9.5 | Netwrix Directory Manager v11 includes a hard-coded password used by the product, which may be used to authenticate to the product as an administrator. This credential may allow an attacker with the ability to communicate over any network on which Netwrix Directory Manager is accessible to compromise Netwrix Directory Manager and any integrated Identity Stores. |
| Missing Authentication for Critical Functions in Netwrix Directory Manager v11 (CVE Pending) | Netwrix Directory Manager | >=11.0.0.0 <11.1.25134.03 | 10.0 | 10.0 / 9.6 | Numerous API endpoints for the Netwrix Directory Manager v11 “Data Service”, an internal API used by components of the product, and several endpoints for the User Portal and Admin Center, do not require authentication and may permit an attacker with the ability to communicate over any network on which Netwrix Directory Manager is accessible to call sensitive operations, access sensitive information, or compromise Netwrix Directory Manager and any integrated Identity Stores. |
| Insertion of Sensitive Information Into Sent Data in Netwrix Directory Manager v11 (CVE Pending) | Netwrix Directory Manager | >=11.0.0.0 <11.1.25134.03 | 8.5 | 9.1 / 8.4 | The Netwrix Directory Manager v11 Admin Center exposes sensitive information to authenticated users, which may permit an attacker who has gained access to the Admin Center to compromise integrated Identity Stores. |
| Incorrect Permission Assignment for Critical Resource in Netwrix Directory Manager v11 (CVE Pending) | Netwrix Directory Manager | >=11.0.0.0 <11.1.25134.03 | 5.3 | 5.0 / 4.7 | In default configuration, Netwrix Directory Manager v11 enables all users from an integrated Identity Store to access the Admin Center with read-only privileges, which over exposes information about Netwrix Directory Manager and integrated Identity Stores. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Use of Hard-coded Password in Netwrix Directory Manager v11 (CVE-2025-47748) | No | No | No |
| Missing Authentication for Critical Functions in Netwrix Directory Manager v11 (CVE Pending) | No | No | No |
| Insertion of Sensitive Information Into Sent Data in Netwrix Directory Manager v11 (CVE Pending) | No | No | No |
| Incorrect Permission Assignment for Critical Resource in Netwrix Directory Manager v11 (CVE Pending) | No | No | No |
Solution
All Netwrix Directory Manager customers are advised to apply the available update immediately. This update is essential to remediating and mitigating risk from the described vulnerabilities. Customers with internet-facing deployments are strongly advised to disable access from the internet until such time as the update is deployed.
The update is available in the Netwrix Customer Portal, and will perform the following actions:
- Apply relevant updates to the application to remediate vulnerabilities described in this document.
- Perform additional changes, automatically applied post installation, to complete remediation and essential mitigation activities:
- Create a random password to replace the hard-coded password and store it for application consumption.
- Assess all Microsoft Internet Information Services (IIS) Application Pools’ identity configuration for the use of a legacy user account, and remove that local user from the system.
- Apply an IIS IP Security Rule to internal Netwrix Directory Manager services, which will deny remote access to them. Customers will need to use the utility (describe below) to add any authorized IP addresses supporting components such as User Portals running on a different server.
Customers who may not be able to apply this update immediately, although Netwrix recommends doing so as it is the only solution that addresses risk from all vulnerabilities described in this advisory, are strongly advised to immediately apply a mitigation for the Missing Authentication for Critical Functions in Netwrix Directory Manager vulnerability. To assist in applying this mitigation, Netwrix has released a standalone utility and documentation for using it, which configures IIS IP Security Rule-based mitigation, described above.
Furthermore, after application of the update, customers are advised to rotate the credentials for all configured Identity Stores.
Official Fixes
Updated software has been released containing official fixes and mitigations as indicated in the table below.
| Title | Version |
|---|---|
| Use of Hard-coded Password in Netwrix Directory Manager v11 (CVE-2025-47748) | Remediated in 11.1.25134.03 |
| Missing Authentication for Critical Functions in Netwrix Directory Manager v11 (CVE Pending) | Mitigated in 11.1.25134.03 |
| Insertion of Sensitive Information Into Sent Data in Netwrix Directory Manager v11 (CVE Pending) | Remediated in 11.1.25134.03 |
| Incorrect Permission Assignment for Critical Resource in Netwrix Directory Manager v11 (CVE Pending) | Remediated in 11.1.25134.03 |
FAQ
-
How do I determine which version of Netwrix Directory Manager is in use?
Please refer to this knowledge base article which shows how to determine the version of Netwrix Directory Manager.
-
What is the difference between “remediation” and “mitigation”?
Remediation refers to the availability of a complete solution (“fix”) for the vulnerability. Mitigations reduce the risk from the vulnerability to acceptable levels without fully addressing the underlying cause. Mitigations are commonly used to rapidly reduce risk from vulnerabilities that require longer durations to remediate.
-
When will the vulnerabilities be fully remediated?
Remediation activities will be ongoing until a fix is complete. This advisory will be updated upon completion of remediation activities or upon the release of any additional mitigations that are identified.
-
What should I do if I have an Netwrix Directory Manager deployment exposed to the internet?
In this advisory, we advise customers to remove their Netwrix Directory Manager deployment from the internet until such time as the update has been applied. We also recommend that you contact Netwrix technical support to review best practices for internet-facing deployments.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2025-05-14T18:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.