Authentication Bypass Bug Found in Passwordstate Corporate Password Manager

Click Studios, developer of the corporate password manager Passwordstate, has urged customers to immediately install a patch addressing a critical authentication bypass vulnerability.

What Passwordstate Does

Passwordstate functions as a centralized, web-based password vault. It allows organizations to securely store and manage passwords, API keys, certificates, and other credentials. The platform integrates with Active Directory and supports password resets, event auditing, and remote session logins.

According to the company, Passwordstate is used by more than 370,000 IT professionals across 29,000 organizations worldwide—including government agencies, financial institutions, large enterprises, and multiple Fortune 500 firms.

The Vulnerability

In a forum post, Click Studios warned that all users must update to version 9.9 Build 9972, released at the end of last week. The release includes two security patches, one of which addresses the critical flaw.

Although a CVE identifier has not yet been assigned, the company confirmed that the bug allows attackers to craft a malicious URL to bypass authentication on the Emergency Access page. From there, they could gain access to the product’s administrative section.

Click Studios has not disclosed further technical details about the flaw.

Temporary Workaround

For customers unable to immediately install the patch, Click Studios privately shared a short-term mitigation.

“The only temporary protective measure is to set a permitted Emergency Access IP address for your web server in the System Settings → Allowed IP Ranges section. This is a partial fix, and we strongly recommend upgrading to Passwordstate Build 9972 as soon as possible,” the company stated.

History of Security Incidents

This is not the first time Passwordstate has been linked to serious security issues. In 2021, attackers compromised the company’s update mechanism, distributing a malicious software build that infected customer systems with Moserware malware. In the aftermath, affected users were also targeted by phishing campaigns.