Click Studios has released an emergency update for Passwordstate 9.9 to address a high-severity security vulnerability. According to the changelog, the flaw could be exploited to bypass authentication. Review the details in this Cybersecurity Threat Advisory to reduce your risk from these vulnerabilities.
What is the threat?
Passwordstate serves as a centralized vault for IT teams to manage sensitive credentials, including passwords, API keys, and certificates. However, a recently discovered vulnerability could allow attackers to gain access to the admin panel through the Emergency Access page by exploiting a specially crafted URL that bypasses the login process. In effect, it’s like leaving your front door wide open for anyone to walk right in.
Why is this noteworthy?
Click Studios has confirmed a high-risk vulnerability in Passwordstate that could allow attackers to steal sensitive data such as credit card details, personal information, login credentials, and TOTP codes, with just a single click on a malicious website.
The Passwordstate password manager is deployed by more than 370,000 IT professionals across 29,000 organizations worldwide, including government agencies, financial institutions, and Fortune 500 companies, as a trusted enterprise-grade privileged access management (PAM) solution.
What is exposure or risk?
The flaw is triggered when a specially crafted URL is accessed via the Emergency Access webpage. This page is tied to a built-in Security Administrator account, designed for last-resort access when all other accounts are locked out — making it a prime target for exploitation. The latest update notes that it also “strengthened security and approach to preventing potential clickjacking associated with our browser extension if users visit compromised websites” controlled by the threat actors. Visiting a compromised site and interacting with it could expose users to data theft.
What are the recommendations?
Barracuda recommends the following actions to secure the Passwordstate management solution:
- Update to Passwordstate Build 9972 or later to fully patch the authentication bypass vulnerability.
- Verify the update has been successfully applied across all instances.
- Limit access to the Emergency Access URL (/<Your Passwordstate URL>/Emergency) by setting Allowed IP Ranges under:
System Settings → Allowed IP Ranges → Emergency Access Allowed IP Address. - Restrict trusted, internal IP addresses only.
- Review web server and Passwordstate logs for any access attempts to the Emergency Access page, especially from unknown IP addresses.
- Enable alerting for repeated or unusual login attempts.
- Audit all accounts with Security Administrator.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/08/click-studios-patches-passwordstate.html
- https://www.bleepingcomputer.com/news/security/passwordstate-dev-urges-users-to-patch-auth-bypass-vulnerability-as-soon-as-possible/
- https://arstechnica.com/security/2025/08/high-severity-vulnerability-in-passwordstate-credential-manager-patch-now/
- https://www.thestack.technology/pre-cve-passwordstate-patches-auth-bypass-via-url-manipulation/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.