Click Studios has issued an urgent warning for customers of its enterprise-grade password manager, Passwordstate, urging immediate upgrades to patch a newly discovered authentication bypass vulnerability. The flaw, classified as high severity, enables attackers to craft a malicious URL targeting the Emergency Access page, allowing them to bypass authentication controls and gain access to the administration section of the product.
Passwordstate is a widely deployed credential management platform, used by over 370,000 IT professionals in 29,000 organizations globally. Customers include government agencies, financial institutions, Fortune 500 companies, and enterprises across diverse industries, underscoring the potential impact if attackers were to exploit the flaw at scale.
Source: clickstudios.com.au.
The patched version, Passwordstate 9.9 Build 9972, was released with fixes for two security issues, including this critical bypass bug. For organizations unable to update immediately, Click Studios has provided a temporary mitigation: restricting Emergency Access to specific IP addresses. However, the company stressed this is only a partial workaround and strongly recommended prompt upgrades to the latest build.
While technical details of the vulnerability have not been fully disclosed, the company confirmed that exploitation is possible with carefully crafted input while on the Emergency Access page. This opens the door for attackers to hijack administrative access, potentially exposing all stored credentials and sensitive data managed within Passwordstate.
The disclosure comes against the backdrop of a previous supply chain attack on Passwordstate in 2021, when attackers compromised the update mechanism to deliver Moserpass malware, leading to credential theft and subsequent phishing campaigns. That incident required impacted users to reset all passwords stored in the database.
The latest flaw in Passwordstate highlights the risks of centralized credential management systems becoming prime targets for attackers. Organizations should patch immediately, enforce IP restrictions until upgrades are completed, and audit administrator activity to detect potential misuse.
