ADV-2025-021 - Permissive List of Allowed Inputs in Netwrix Password Secure

netwrix-product-security · September 4, 2025, 12:00pm

Executive Summary

During an internal security review, a vulnerability was identified in Netwrix Password Secure browser extension affecting versions earlier than 9.2.5.33325. This vulnerability involves permissive validation of allowed inputs which may allow unauthorized cross-domain usage of authentication credentials under specific conditions.

While Netwrix is unaware of any current exploitation of this vulnerability, all Netwrix Password Secure customers are advised to apply the available update when it becomes available.

Vulnerability

Title	Affected Component	Affected Versions	CVSS 4.0 Score	CVSS 3.1 Score (Base / Temporal)	Description
Permissive List of Allowed Inputs (CVE Pending)	Netwrix Password Secure	<9.2.5.33325	7.3	8.0 / 7.0	The application allows authentication credentials to be used across domains when specific secret keys are known. This may permit an authenticated user to access resources in domains other than those for which the credentials were originally intended.

Exploitability

Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.

Title	Publicly known?	Exploit available?	Actively exploited?
Permissive List of Allowed Inputs	No	No	No

Solution

All Netwrix Password Secure customers using browser extensions are advised to apply the available update.

The update should be applied automatically by your web browser and is available via Firefox Add-ons, the Chrome Web Store, and Edge Add-ons.

Please contact the Netwrix technical support team should you need assistance.

Official Fixes

Updated software will be released containing official fixes for the vulnerability as indicated in the table below.

Title	Version
Permissive List of Allowed Inputs	9.2.5.33325

FAQ

How do I determine which version of Netwrix Password Secure is in use?

Please contact Netwrix technical support for assistance with version identification.

Revisions

Updates to this advisory may be made as necessary. Information about each change will be published in the table below.

Revision	Date	Description
1	2025-09-04T12:00:00Z	First published

Disclaimer

The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.

Topic	Replies	Views
ADV-2025-009 - Remote Code Execution Vulnerabilities in Netwrix Password Secure Security Advisories security-advisory , password-secure-security-advisory	1891	April 1, 2025
ADV-2025-019 - Critical Vulnerability in Netwrix Privilege Secure for Discovery v2.22.6 Security Advisories security-advisory , privilege-secure-d-security-advisory	107	August 28, 2025
ADV-2025-003 - Exposure of Sensitive Information to an Unauthorized Actor in Netwrix Privilege Secure Security Advisories security-advisory	116	February 6, 2025
ADV-2024-001 - Reflected Cross-site Scripting in Netwrix Password Manager General Security Information security-advisory	71	March 26, 2024
ADV-2025-001 - Vulnerabilities in Netwrix Endpoint Protector (formerly CoSoSys Endpoint Protector) Security Advisories security-advisory	101	January 21, 2024