Executive Summary
Internal security testing of Netwrix Directory Manager (formerly Imanami GroupID) v11 discovered multiple vulnerabilities that may allow attackers to compromise the confidentiality and integrity of data within the application and integrated identity stores. These vulnerabilities include weak cryptography with hard-coded encryption keys, improper handling of authentication data, authorization bypass issues, and cross-site scripting vulnerabilities.
While Netwrix is unaware of any current exploitation of these vulnerabilities, all Netwrix Directory Manager customers are advised to apply the available update immediately and follow the recommended remediation steps including logging out users and clearing cookies.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Weak Cryptography - Use of Hard-coded Encryption Key (CVE Pending) | Netwrix Directory Manager | >=11.0.0.0 <11.1.25241.02 | 9.0 | 8.5 / 7.4 | Netwrix Directory Manager includes a hard coded encryption key which is used to encrypt authentication related key material. This may allow an authenticated attacker, who is able to obtain the encrypted key material, to forge an authentication cookies that appears valid to the application. These forged cookies permit the attacker to impersonate any existing user, thereby compromising Netwrix Directory Manager and any integrated identity store. |
| Use of GET request method with sensitive query string parameter (CVE Pending) | Netwrix Directory Manager | >=11.0.0.0 <11.1.25241.02 | 8.2 | 6.2 / 5.3 | Netwrix Directory Manager uses HTTP GET requests with sensitive query string parameters within the Portal and Admin Center. The URLs, including query strings, of these requests may be logged by the application and/or customer infrastructure. This may allow an authenticated high-privileged attacker with access to such logs to perform actions which are attributed to another user. |
| Account enumeration via inconsistent error messages (CVE Pending) | Netwrix Directory Manager | >=11.0.0.0 <11.1.25241.02 | 6.9 | 5.3 / 5.3 | Netwrix Directory Manager returns different errors for failed login attempts depending on the status of the account attempting to authenticate. This may allow an attacker to determine the existence of accounts in any integrated identity store. |
| Improper Neutralization of Authenticated Input During Web Page Generation (Cross Site-Scripting) (CVE Pending) | Netwrix Directory Manager | >=11.0.0.0 <11.1.25241.02 | 6.8 | 4.5 / 3.9 | Netwrix Directory Manager Portal does not perform sufficient output encoding on certain web pages, which may allow an attacker, who is able to authenticate as an administrator, to conduct stored cross-site scripting attacks. Successful attacks may compromise Netwrix Directory Manager and any integrated identity stores. |
| Authorization Bypass - Missing Function Level Access Controls - Terminated/disabled users (CVE Pending) | Netwrix Directory Manager | >=11.0.0.0 <11.1.25241.02 | 5.3 | 5.0 / 4.4 | Netwrix Directory Manager Portal does not enforce sufficient authorization controls when querying or exporting terminated or disabled user accounts in/from an integrated identity store. This may allow an authenticated, low privileged attacker to obtain metadata for such accounts (password are not exposed). |
| Authorization Bypass - Missing Function Level Access Controls - Private queries (CVE Pending) | Netwrix Directory Manager | >=11.0.0.0 <11.1.25241.02 | 5.3 | 3.4 / 3.8 | Netwrix Directory Manager Portal does not enforce sufficient authorization controls in the private queries feature. This may allow an authenticated, low privileged attacker to obtain metadata for queries belonging to other users or the system. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Weak Cryptography - Use of Hard-coded Encryption Key | No | No | No |
| Use of GET request method with sensitive query string parameter | No | No | No |
| Account enumeration via inconsistent error messages | No | No | No |
| Improper Neutralization of Authenticated Input During Web Page Generation (Cross Site-Scripting) | No | No | No |
| Authorization Bypass - Missing Function Level Access Controls - Terminated/disabled users | No | No | No |
| Authorization Bypass - Missing Function Level Access Controls - Private queries | No | No | No |
Solution
All Netwrix Directory Manager customers are advised to apply the available update immediately. This update is essential to remediating risk from the described vulnerabilities.
The update is available in the Netwrix Customer Portal, and will apply relevant updates to the application to remediate vulnerabilities described in this document.
Following the upgrade, in some circumstances users may encounter an error when authenticating to the application. To resolve such errors, users should clear the application’s cookies from their browser.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for the vulnerabilities as indicated in the table below.
| Title | Version |
|---|---|
| Weak Cryptography - Use of Hard-coded Encryption Key | 11.1.25241.02 |
| Use of GET request method with sensitive query string parameter | 11.1.25241.02 |
| Account enumeration via inconsistent error messages | 11.1.25241.02 |
| Improper Neutralization of Authenticated Input During Web Page Generation (Cross Site-Scripting) | 11.1.25241.02 |
| Authorization Bypass - Missing Function Level Access Controls - Terminated/disabled users | 11.1.25241.02 |
| Authorization Bypass - Missing Function Level Access Controls - Private queries | 11.1.25241.02 |
FAQ
-
How do I determine which version of Netwrix Directory Manager is in use?
Please refer to this knowledge base article which shows how to determine the version of Netwrix Directory Manager.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2025-09-02T12:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.