A significant security vulnerability has been identified in Netwrix Password Secure, an enterprise password management solution.
The flaw, which affects all versions up to 9.2.2, enables authenticated users to achieve remote code execution on systems with the affected client application installed.
This discovery raises concerns about the security of credential management platforms, which are often considered core to organizational security hygiene.
Technical Analysis of the Vulnerability
The vulnerability stems from the application’s document-sharing functionality, which allows users to securely share credentials and associated files within teams.
Upon investigation, security researchers found that the system’s method for handling file shortcuts and their associated properties could be manipulated to execute arbitrary code.
Netwrix Password Secure maintains a list of whitelisted file extensions that can be uploaded and shared, such as PDFs, images, and office documents.
While the application restricts the upload of executable files (such as .exe), it was discovered that the mechanism for modifying existing document shortcuts failed to perform comprehensive validation.
Specifically, when a user edits the file path of an already-uploaded document, only the DocumentPath attribute is altered, while the system continues to rely on the original file extension specified by the DocumentType attribute.
The application’s verification method checks the extension alone, neglecting to validate the actual file path or type referenced in DocumentPath.
Additionally, an overlooked parameter, DocumentParams, inherited by the container object without sufficient security checks, allows attackers to specify execution arguments.
When the application’s OpenInDefaultProgram method is invoked typically by double-clicking a shared document the underlying system uses the path and parameters as provided, effectively launching any executable present in the specified path with arbitrary arguments.
To exploit this, an attacker must first upload a legitimate document (such as a PDF), then alter the shortcut’s file path to reference a trusted, pre-existing executable like PowerShell.exe, and finally use the DocumentParams attribute to inject a malicious payload.
When another authenticated user opens the manipulated shortcut, the specified executable is launched with the attacker-controlled parameters, resulting in remote code execution under the privileges of the user.
Proof of Concept
During practical testing, researchers demonstrated the exploit by replacing a document link’s path with the local path to PowerShell and setting DocumentParams to launch a benign application (such as Windows Calculator).
According to the Report, upon opening the shared link, the payload executed successfully, confirming the vulnerability.
Attack scenarios include both targeted attacks, where specific users are tricked into opening compromised shortcuts, and potential lateral movement within organizations, leveraging shared document links.
The exploit requires authenticated access and some level of user interaction, but the potential consequences are severe, including the spread of malicious code within an enterprise environment.
Netwrix has addressed the vulnerability in all versions of Password Secure above 9.2.2. Users and organizations are urged to upgrade immediately to mitigate the risk.
This incident highlights the importance of thorough validation within collaborative features of security products, and the need for regular penetration testing even for trusted security tools.
Organizations relying on affected versions should prioritize patching and review internal processes for sharing credentials and sensitive documents across teams.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
