Click Studios, the developer of the Passwordstate enterprise password manager, has issued an urgent warning to its customer base regarding a high-severity authentication bypass vulnerability, designated CVE-2024-393371. The flaw, discovered by researcher Roy Sugiyama of Bastion Security, allows an attacker to compromise any user account with knowledge of only the victim’s username, granting full access to all stored credentials, secrets, and administrative functions within the on-premises solution1. This alert underscores the critical nature of the software as a high-value target and the persistent need for rigorous security maintenance in credential management systems.
This incident is not an isolated event but rather part of a broader narrative concerning Passwordstate’s security posture. The product has a documented history of critical vulnerabilities, including a severe API authentication bypass (CVE-2022-3875) disclosed in late 2022 and a supply chain attack in 2021347. The evolution of the platform, from a period of significant feature expansion to its current state of proactive security hardening, provides a compelling case study on the challenges of securing enterprise software under constant scrutiny.
Technical Breakdown of CVE-2024-39337
The core of the vulnerability lies in a flaw within the application’s authentication logic, specifically affecting the Active Directory Integrated Login and Local Account Login methods. According to the Bastion Security advisory, the attack does not require the attacker to know the victim’s password and can bypass any configured multi-factor authentication (MFA)1. The exploit involves a multi-step process where a failed login attempt on a specific page inadvertently establishes a partial session state that can be manipulated. For Active Directory accounts, an attacker navigates to `/logins/loginadan.aspx`, enters the victim’s username with an incorrect password, and is then able to directly access an MFA setup page. Completing this setup causes the application to erroneously grant full authenticated access.
For environments using SAML authentication, the initial attack vector is blocked by redirection to an SSO identity provider. However, this protection is circumvented by first visiting the `/emergency/` endpoint before initiating the attack sequence1. The attack against local accounts follows a different path. After entering a known username and an arbitrary password on the same login page, the attacker navigates to the password reset functionality at `/logins/resetpassword.aspx`. The page loads in the context of the targeted victim user, allowing the attacker to set a new password and gain access with those credentials. Bastion Security provided video proof-of-concept demonstrations for both attack methods, confirming the viability of the exploit.
Historical Context and Previous Vulnerabilities
The discovery of CVE-2024-39337 follows a pattern of serious security issues within Passwordstate. In December 2022, security firm Modzero AG disclosed multiple critical vulnerabilities that could be chained together by an unauthenticated attacker to exfiltrate the entire password database in cleartext34. The most severe of these, CVE-2022-3875, was an authentication bypass for the product’s API with a CVSS score of 9.1. A public proof-of-concept was available, enabling complete system compromise with only a username3. These flaws were patched in Build 9611 in September 2022, with further hardening implemented in Build 9653 that November.
Prior to these technical flaws, Click Studios faced a different type of security crisis in April 2021 when it fell victim to a supply chain attack. A malicious update was delivered through the software’s legitimate update mechanism, compelling the company to warn all users to immediately reset every password stored within their instances7. This history establishes Passwordstate as a recurring focus for both malicious actors and security researchers, highlighting the immense value of the data it protects and the constant attention required to secure it.
Product Evolution and Security Hardening
An analysis of the product’s changelog reveals a distinct shift in development priorities over time. A period of significant feature expansion, exemplified by Build 9000 (v9.0 Beta) released in January 2021, broadened the application’s attack surface. This build introduced a new mobile app, expanded API functionality, enhanced browser extensions, and new authentication features8. It also involved a technical foundation upgrade to .NET Framework 4.7.2 and began digitally signing core DLLs.
Following the disclosure of the 2022 vulnerabilities, the development cycle shows a pronounced move towards proactive security hardening. The changelog for subsequent builds is replete with security-focused fixes and enhancements. Build 9653 added protocol validation checks to URL fields to address a stored cross-site scripting (XSS) flaw, CVE-2022-38778. Later builds, such as 9795 and 9811, included patches for access control issues (CVE-2023-47801) and general security improvements (CVE-2023-43295), which involved obfuscating graph query data and updating brute-force login detection logic8. This pattern of continuous security enhancement demonstrates a vendor responding to past compromises by systematically strengthening its product’s defenses.
Remediation and Mitigation Strategies
The immediate and primary mitigation for CVE-2024-39337 is to upgrade the Passwordstate installation to Build 9858 or later. This patch was released by Click Studios on March 7, 2024, following a responsible disclosure process that began when Bastion Security reported the flaw on March 41. The CVE was assigned on June 24, 2024, with public advisory following on June 25. Organizations that have not yet applied this update are exposed to a significant risk of complete credential store compromise.
For security teams, this event reinforces several key operational principles. It highlights the critical importance of maintaining a rigorous and timely patch management process, especially for security-critical applications like password managers. The history of vulnerabilities also suggests that organizations relying on such software should implement additional layers of monitoring and control. Network segmentation, strict egress filtering, and robust logging of authentication and access events within the password manager can help detect and contain exploitation attempts, even if a vulnerability is leveraged.
The case of Passwordstate serves as a reminder that all software, including security products designed to protect assets, can contain vulnerabilities. A defense-in-depth strategy, where the compromise of a single system does not lead to a catastrophic breach, is therefore essential. Organizations should ensure that access to password management systems is tightly controlled and that the systems themselves are not overly permissive in their network communications or access rights.
The disclosure of CVE-2024-39337 and the historical context of Passwordstate’s vulnerabilities illustrate the ongoing challenge of securing complex enterprise software. While Click Studios has demonstrated a cooperative and responsive approach to vulnerability disclosure and patching, the recurrence of high-severity flaws indicates the difficulty of maintaining a secure codebase amidst feature development. For organizations, the imperative is clear: promptly apply security patches, assume that any software may contain vulnerabilities, and architect environments to limit the blast radius of a potential compromise. The integrity of credential stores remains a foundational element of enterprise security, demanding constant vigilance.
