Executive Summary
As part of its secure development practices, Internal security testing of Netwrix Endpoint Policy Manager Group Policy Compliance Reporter discovered a hard coded password vulnerability when using Microsoft SQL Server Compact Edition (CE). This may allow an unauthorized attacker to compromise the confidentiality and integrity of the data held in the database. Netwrix contracted a third-party to conduct a penetration test against Netwrix Endpoint Policy Manager Group Policy Compliance Reporter. This penetration test discovered a hard coded password vulnerability when using SQL Compact Edition (CE) with Netwrix Endpoint Policy Manager Group Policy Compliance Reporter. This may allow an unauthorized attacker to compromise the confidentiality and integrity of the data held in the SQL CE database.
While Netwrix is unaware of any current exploitation of this vulnerability, all Netwrix Endpoint Policy Manager Group Policy Compliance Reporter customers are advised to apply the available update immediately and follow the new password generation process.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Hard Coded Password SQL CE Database Password (CVE Pending) | Netwrix Endpoint Policy Manager Group Policy Compliance Reporter | < 25.7.4331 | 8.6 | 8.1 / 7.1 | Netwrix Endpoint Policy Manager Group Policy Compliance Reporter uses a hard coded password for local and remote SQL CE instances it creates. This may allow an attacker unauthorized to compromise the confidentiality and integrity of the data held in the SQL CE database. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Hard Coded Password SQL CE Database Password | No | No | No |
Solution
All Netwrix Endpoint Policy Manager Group Policy Compliance Reporter customers are advised to apply the available update immediately. This update is essential to remediating risk from the described vulnerability.
Customers should upgrade Netwrix Endpoint Policy Manager Group Policy Compliance Reporter server and client to version 25.7.4331, run the Netwrix Endpoint Policy Manager Group Policy Compliance Reporter client and proceed with the new password generation process when prompted.
The update is available in the Netwrix Endpoint Policy Manager Portal.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for the vulnerability as indicated in the table below.
| Title | Version |
|---|---|
| Hard Coded Password SQL CE Database Password | 25.7.4331 |
FAQ
-
How do I determine which version of Netwrix Endpoint Policy Manager Group Policy Compliance Reporter is in use?
The version is available in Windows → Settings → Add/Remove Program.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2025-08-19T12:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.