Full Report
Click Studios, the company behind the Passwordstate enterprise-grade password manager, has warned customers to patch a high-severity authentication bypass vulnerability as soon as possible. [...]
Analysis Summary
# Vulnerability: Passwordstate Authentication Bypass Flaw
## CVE Details
- CVE ID: Not specified in the advisory (High Severity)
- CVSS Score: Not specified, described as **high-severity**
- CWE: Not specified
## Affected Systems
- Products: Passwordstate (Enterprise-grade password manager)
- Versions: Versions prior to **Build 9972**
- Configurations: Any configuration where the Emergency Access page is accessible.
## Vulnerability Description
A high-severity security flaw exists in Passwordstate that allows an attacker to bypass authentication. The vulnerability is triggered by accessing the core Passwordstate **Emergency Access page** using a carefully crafted URL. Successful exploitation grants the attacker access to the Passwordstate **Administration section**.
## Exploitation
- Status: Advisory issued, potential for exploitation (details vague, but pressure to patch immediately suggests active risk).
- Complexity: Implied to be achievable via a crafted URL.
- Attack Vector: Likely **Network** (via web interface access).
## Impact
- Confidentiality: High (Potential access to the Administration section means access to stored credentials).
- Integrity: High (Ability to modify administrative settings).
- Availability: Unknown/Potential.
## Remediation
### Patches
- **Passwordstate Build 9972** (released August 28, 2025).
### Workarounds
- **Partial Workaround:** Configure the `Emergency Access Allowed IP Address` under **System Settings -> Allowed IP Ranges** to only allow the webserver's IP. Click Studios emphasizes this is only a short-term partial fix.
## Detection
- Detection methods were not publicly detailed in the provided text. Given the nature of the flaw (a crafted URL against the Emergency Access page), monitoring anomalous requests to the Emergency Access endpoint URLs would be advisable until more details are released.
## References
- Vendor Forum Announcement: hXXps://forums.clickstudios.com.au/topic/27316-passwordstate-build-9972-released/
- Vendor Security Advisories: hXXps://www.clickstudios.com.au/security/advisories/#:~:text=Description-,Fixed%20a%20potential%20authentication%20bypass%20issue,-associated%20with%20accessing
- Vendor Changelog: hXXps://www.clickstudios.com.au/passwordstate-changelog.aspx#:~:text=Passwordstate%209.9%20%2D%20Build%209972