Executive Summary
Internal security testing of Netwrix Directory Manager (formerly Netwrix GroupID) v11 discovered multiple vulnerabilities. Successful exploitation may allow attackers to gain unauthorized access to sensitive data, compromise user credentials and sessions, or execute unauthorized actions within the application and integrated identity stores. These vulnerabilities include SQL injection, cross-site scripting, insecure credential storage, information disclosure and missing authorization issues.
While Netwrix is unaware of any current exploitation of these vulnerabilities, all Netwrix Directory Manager customers are advised to apply the available update immediately and follow the recommended remediation steps.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | Netwrix Directory Manager | <11.1.26035.03 | 9.4 | 9.9 / 8.7 | Netwrix Directory Manager v11 does not perform sufficient SQL query sanitization for specific functions. This may allow an authenticated attacker to gain unauthorized access to data or to compromise Netwrix Directory Manager and any integrated Identity Stores. |
| Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) | Netwrix Directory Manager | <11.1.26035.03 | 8.5 | 9.6 / 8.3 | The Netwrix Directory Manager v11 Security Service does not sufficient encode of user controlled authentication parameters, which may allow an unauthenticated attacker to conduct reflected cross-site scripting (XSS) attacks. Successful attacks may lead to an attacker compromising user credentials. |
| Insufficiently Protected SharePoint Credentials | Netwrix Directory Manager | <11.1.26035.03 | 8.5 | 9.1 / 7.9 | When entitlement management within a SharePoint Site in an Entra ID identity store is configured to use an account other than the identity store service account, Netwrix Directory Manager v11 stores the credentials for that account in an insecure format. This may allow an attacker, who is able to gain access to the Netwrix Directory Manager database, to compromise the integrated SharePoint Site. |
| Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) | Netwrix Directory Manager | <11.1.26035.03 | 8.5 | 9.0 / 7.8 | Netwrix Directory Manager v11 User Portal does not perform sufficiently output encoding on certain web pages, which may allow an authenticated attacker to conduct stored cross-site scripting (XSS) attacks. Successful attacks may compromise Netwrix Directory Manager and any integrated Identity Stores. |
| Account enumeration via inconsistent error messages | Netwrix Directory Manager | <11.1.26035.03 | 6.9 | 5.8 / 5.1 | Netwrix Directory Manager returns different errors for failed password change and account unlock attempts depending on the status of the account attempting to perform these operations. This may allow an unauthenticated attacker to determine the existence of accounts in any integrated identity store. |
| Insertion of Sensitive Information into Log File | Netwrix Directory Manager | <11.1.26035.03 | 6.7 | 5.5 / 5.1 | Netwrix Directory Manager does not perform sufficient log sanitization during certain administrative operations which may cause sensitive configuration values to be written to log files. This may allow an attacker, who is able to obtain access to log files, to obtain credentials and other sensitive information. |
| Missing Authorization - Data Sync Job Details | Netwrix Directory Manager | <11.1.26035.03 | 5.3 | 5.0 / 4.4 | Netwrix Directory Manager v11 User Portal does not enforce sufficient authorization controls in the data sync feature. This may allow an authenticated, low privilege, attacker to access sensitive data sync job configuration data, including SMTP server credentials. |
| External Control of File Name or Path | Netwrix Directory Manager | <11.1.26035.03 | 4.8 | 2.4 / 2.2 | Netwrix Directory Manager v11 does not perform sufficient server-side validation during data source configuration operations. This may allow an attacker, who is able to authenticate to the Admin Portal to determine the existence of arbitrary files on the server, or network shares that Netwrix Directory Manager can access. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | No | No | No |
| Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) | No | No | No |
| Insufficiently Protected SharePoint Credentials | No | No | No |
| Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) | No | No | No |
| Account enumeration via inconsistent error messages | No | No | No |
| Insertion of Sensitive Information into Log File | No | No | No |
| Missing Authorization - Data Sync Job Details | No | No | No |
| External Control of File Name or Path | No | No | No |
Solution
All Netwrix Directory Manager customers are advised to apply the available update immediately. This update is essential to remediating risk from the described vulnerabilities.
The update is available in the Netwrix Customer Portal, and will apply relevant updates to the application to remediate vulnerabilities described in this document.
Following the upgrade administrators should review historical log files for sensitive information that may have been logged prior to the update and rotate any exposed credentials.
Customers who have configured entitlement management within a SharePoint Site in an Entra ID identity store to use an account other than the identity store service account should rotate the credentials for that account.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for the vulnerabilities as indicated in the table below.
| Title | Version |
|---|---|
| Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | 11.1.26035.03 |
| Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) | 11.1.26035.03 |
| Insufficiently Protected SharePoint Credentials | 11.1.26035.03 |
| Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) | 11.1.26035.03 |
| Account enumeration via inconsistent error messages | 11.1.26035.03 |
| Insertion of Sensitive Information into Log File | 11.1.26035.03 |
| Missing Authorization - Data Sync Job Details | 11.1.26035.03 |
| External Control of File Name or Path | 11.1.26035.03 |
FAQ
-
How do I determine which version of Netwrix Directory Manager is in use?
Please refer to this knowledge base article which shows how to determine the version of Netwrix Directory Manager.
-
Are there any actions required after installing the update?
Yes. Administrators should review historical log files for sensitive information that may have been logged prior to the update and rotate any exposed credentials. Customers who have configured entitlement management within a SharePoint Site in an Entra ID identity store to use an account other than the identity store service account should rotate the credentials for that account.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2026-02-17T13:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.