Executive Summary
Multiple vulnerabilities were identified in Netwrix Auditor during routine security assessments. These vulnerabilities affect various components including Netwrix Auditor User Activity Agent, Netwrix Auditor Server, Netwrix Auditor Event Log Manager, and Netwrix Auditor for VMware Auditing. The vulnerabilities may allow an attacker to obtain VMware credentials, obtain SMTP server credentials, compromise the integrity of session recordings, or affect the availability of Netwrix Auditor Server.
All Netwrix Auditor customers are advised to apply the available update as soon as possible. Netwrix is unaware of any current exploitation of these vulnerabilities.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Server Side Request Forgery | Netwrix Auditor for VMware Auditing | <10.7.13878 & <10.8.15173.0 | 8.5 | 7.7 / 6.7 | Netwrix Auditor for VMware Auditing does not sufficiently verify a user-supplied URL prior to use. This may allow an attacker to obtain VMware credentials. |
| Origin Validation Error - Session files | Netwrix Auditor User Activity Agent | <10.7.13878 & <10.8.15173.0 | 6.8 | 5.5 / 4.8 | Netwrix Auditor User Activity Agent did not validate that files purported to represent a User Activity session legitimately form part of that session. This may allow an attacker, with access to a User Activity monitored endpoint, to inject arbitrary files into session recordings from that endpoint. |
| Uncontrolled Resource Consumption - Server storage | Netwrix Auditor Server | <10.7.13878 & <10.8.15173.0 | 6.8 | 5.5 / 4.8 | Netwrix Auditor Server accepts User Activity session files from Auditor Agent without validating that the required storage space is available and without reserving required space for normal operations. This could allow an attacker, with access to a User Activity monitored endpoint, to affect the availability of Netwrix Auditor Server. |
| Weak Cryptography - Hardcoded Encryption Key and Weak Cryptographic Algorithm | Netwrix Auditor Event Log Manager | <10.7.13878 & <10.8.15173.0 | 4.6 | 5.7 / 5.0 | Netwrix Auditor Event Log Manager uses a hard coded encryption key and weak cryptographic algorithm to secure SMTP server credentials in configuration. This may allow an attacker, who gains access to the relevant configuration file, to obtain the credentials and access the SMTP server. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Server Side Request Forgery | No | No | No |
| Origin Validation Error - Session files | No | No | No |
| Uncontrolled Resource Consumption - Server storage | No | No | No |
| Weak Cryptography - Hardcoded Encryption Key and Weak Cryptographic Algorithm | No | No | No |
Solution
All Netwrix Auditor customers are advised to update Netwrix Auditor to update as soon as possible:
- 10.8: Update to version 10.8.15173.0 or later
- 10.7: Update to version 10.7.13878 or later
Instructions for the Netwrix Auditor upgrade process can be found in this documentation.
After updating, administrators should open Netwrix Auditor Event Log Manager to automatically re-encrypt SMTP credentials with a secure encryption key and algorithm. Rotation of SMTP credentials is recommended.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for the vulnerabilities as indicated in the table below.
| Product | Release Version |
|---|---|
| Netwrix Auditor 10.7 | 10.7.13878 |
| Netwrix Auditor 10.8 | 10.8.15173.0 |
FAQ
-
How do I determine my current version of Netwrix Auditor?
The version can be found in the General tab in Netwrix Auditor and in Windows “Add/Remove Programs”.
-
Are there any configuration changes required after updating?
After updating, administrators should open Netwrix Auditor Event Log Manager. This will automatically re-encrypt SMTP server credentials with a secure encryption key and algorithm. Rotation of SMTP credentials is recommended.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2026-01-29T13:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.