The article reports an authentication bypass vulnerability (CVE pending) in Passwordstate, an enterprise-grade password manager used by over 370,000 users across 29,000 organizations, including government agencies and Fortune 500 companies. The flaw allows attackers to exploit a carefully crafted URL to gain unauthorized access to the Passwordstate Administration section without authentication, potentially exposing stored credentials, API keys, certificates, and other sensitive secrets.While no active exploitation has been confirmed, the risk is severe given Passwordstate’s role in securing critical enterprise credentials. A partial workaround (restricting Emergency Access via IP whitelisting) exists, but Click Studios strongly urges immediate patching to Build 9972 to mitigate the risk. The vulnerability’s ease of exploitation remains unclear, but its potential impact unauthorized administrative access to a centralized password vault could enable lateral movement, privilege escalation, or full credential compromise across an organization’s infrastructure.Given Passwordstate’s widespread use in high-stakes sectors (finance, government, healthcare), a successful attack could lead to large-scale credential theft, operational disruption, or downstream breaches in dependent systems. The lack of a CVE score at the time of reporting underscores the urgency of remediation before threat actors weaponize the flaw.
TPRM report: https://www.rankiteo.com/company/click-studios-sa-pty-ltd
"id": "cli910083025",
"linkid": "click-studios-sa-pty-ltd",
"type": "Vulnerability",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '370,000+ users across 29,000 '
'companies (including government '
'agencies, financial '
'institutions, Fortune 500 '
'companies)',
'industry': 'Cybersecurity (Password Management)',
'name': 'Click Studios (Passwordstate)',
'type': 'Software Vendor'}],
'attack_vector': 'Network (crafted URL targeting Emergency Access page)',
'customer_advisories': 'Urgent upgrade recommendation; workaround '
'instructions provided',
'description': 'Passwordstate, an enterprise-grade password manager, released '
'build 9972 to patch an authentication bypass flaw that could '
'allow unauthorized access to the Passwordstate Administration '
'section via a carefully crafted URL targeting the Emergency '
'Access page. Users are urged to update immediately. A '
'temporary workaround involves restricting Emergency Access to '
'specific IP ranges under System Settings->Allowed IP Ranges.',
'impact': {'brand_reputation_impact': 'Moderate (proactive patching mitigates '
'long-term damage, but vulnerability '
'exposure may erode trust)',
'identity_theft_risk': 'High (if administrative access is abused '
'to exfiltrate stored credentials)',
'operational_impact': 'Potential unauthorized administrative '
'access; risk of credential theft or '
'privilege escalation',
'payment_information_risk': 'High (if payment-related credentials '
'are stored in Passwordstate)',
'systems_affected': ['Passwordstate Administration section']},
'initial_access_broker': {'entry_point': 'Emergency Access page via crafted '
'URL',
'high_value_targets': ['Passwordstate '
'Administration section',
'Stored '
'credentials/secrets']},
'investigation_status': 'Ongoing (CVE pending, severity assessment '
'incomplete)',
'post_incident_analysis': {'corrective_actions': ['Patch release (Build 9972)',
'IP-based access '
'restrictions for Emergency '
'Access'],
'root_causes': ['Authentication bypass '
'vulnerability in Emergency Access '
'functionality']},
'recommendations': ['Immediately upgrade to Passwordstate Build 9972',
'Restrict Emergency Access to trusted IP ranges as a '
'temporary mitigation',
'Monitor for unauthorized access attempts targeting the '
'Emergency Access page',
'Review administrative access logs for suspicious '
'activity'],
'references': [{'source': 'BleepingComputer'},
{'source': 'Click Studios Security Advisory'}],
'response': {'communication_strategy': ['Public security advisory',
'Media outreach (e.g., '
'BleepingComputer)'],
'containment_measures': ['IP restriction workaround (Emergency '
'Access Allowed IP Address)',
'Urgent patch deployment (Build 9972)'],
'incident_response_plan_activated': 'Yes (security advisory and '
'patch release)',
'remediation_measures': ['Patch to Build 9972']},
'stakeholder_advisories': 'Public security advisory issued; customers '
'notified via email/newsletter',
'title': 'Passwordstate Authentication Bypass Vulnerability (Build 9972)',
'type': 'Authentication Bypass Vulnerability',
'vulnerability_exploited': 'Authentication bypass in Passwordstate Emergency '
'Access (CVE pending)'}