Executive Summary
External security research identified multiple vulnerabilities in Netwrix Password Secure. Successful exploitation of the most severe vulnerability may allow an authenticated attacker to execute remote code on the Netwrix Password Secure server, potentially compromising the server and any credentials it manages. A second vulnerability may allow an authenticated attacker to access unauthorized areas of the Netwrix Password Secure application interface.
While Netwrix is unaware of any current exploitation of these vulnerabilities, all Netwrix Password Secure customers are advised to apply the available update immediately.
Acknowledgements
Netwrix thanks the following individuals for responsibly reporting these vulnerabilities and their effort and partnership in improving the security of our products:
- Fabian Mosch of r-tec IT Security GmbH for reporting the Improper Access Control vulnerability
- Abdulaziz Aldayri of SDAIA - Penetration Testing Department for reporting the Insecure Direct Object Reference vulnerability
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Improper Access Control | Netwrix Password Secure Server | <26.6.100 | 9.4 | 9.9 / 8.9 | Netwrix Password Secure does not perform sufficient authorization checks for some endpoints. This may allow an authenticated attacker to execute remote code on the server. |
| Insecure Direct Object Reference | Netwrix Password Secure Server | <26.6.100 | 5.3 | 4.3 / 4.0 | Netwrix Password Secure does not perform sufficient authorization checks for some endpoints. This may allow an authenticated attacker to view sensitive areas of the UI. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Improper Access Control | No | No | No |
| Insecure Direct Object Reference | No | No | No |
Solution
All Netwrix Password Secure customers are advised to apply the available update immediately. This update is essential to remediating risk from the described vulnerability.
The update is available in the Netwrix Customer Portal. Instructions for applying the update can be found in the Netwrix Password Secure update documentation.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing an official fix for the vulnerability as indicated in the table below.
| Product | Release Version |
|---|---|
| Netwrix Password Secure | 26.6.100 |
FAQ
-
How do I determine my current version of Netwrix Password Secure?
Please refer to the Netwrix Password Secure update documentation for guidance on determining the current installed version and applying the update.
-
Are there any actions required after installing the update?
No additional actions are required beyond applying the update to the remediated version or later.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2026-06-18T12:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.