TL;DR
Netwrix has fixed two Netwrix Password Secure vulnerabilities disclosed in advisory ADV-2026-008. The most severe flaw, rated CVSS 3.1 9.9 (CVSS 4.0 9.4), lets an authenticated attacker achieve remote code execution on the Password Secure server. Version 26.6.100 resolves both issues, and no exploitation has been confirmed.
Why It Matters
Password Secure is an enterprise password manager, so its server is a high-value target. A successful attack could compromise, in the vendor’s words, “the server and any credentials it manages.” In other words, one breached account could unlock an organization’s entire credential vault. Consequently, these Netwrix Password Secure vulnerabilities deserve urgent attention even though authentication is required.
How the Attack Works
Both flaws stem from the same root cause: insufficient authorization checks on some server endpoints. The critical Improper Access Control issue allows an authenticated attacker to reach endpoints that permit remote code execution. Meanwhile, a second flaw, an Insecure Direct Object Reference (CVSS 3.1 4.3), lets an authenticated user view restricted areas of the application interface. Netwrix credits external security research with identifying both issues.
Affected Versions
All Netwrix Password Secure Server versions earlier than 26.6.100 are affected by both vulnerabilities.
Exploitation Status
According to the advisory’s exploitability table, neither flaw is publicly known, has an available exploit, or is actively exploited. Netwrix states it “is unaware of any current exploitation of these vulnerabilities.”
Patch and Mitigation
Netwrix urges all customers to apply the update immediately via the Netwrix Customer Portal. Version 26.6.100 contains the official fix for both flaws. For full details, review the official Netwrix security advisory (ADV-2026-008).
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.