Click Studios, the developer of enterprise-focused password management solution Passwordstate, said it has released security updates to address an authentication bypass vulnerability in its software.
The issue, which is yet to be assigned a CVE identifier, has been addressed in Passwordstate 9.9 (Build 9972), released August 28, 2025.
The Australian company said it fixed a “potential Authentication Bypass when using a carefully crafted URL against the core Passwordstate Products’ Emergency Access page.”
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Also included in the latest version are improved protections to safeguard against potential clickjacking attacks aimed at its browser extension, should users end up visiting compromised sites.
The safeguards are likely in response to findings from security researcher Marek Tóth, who, earlier this month, detailed a technique called Document Object Model (DOM)-based extension clickjacking that several password manager browser add-ons have been found vulnerable to.
“A single click anywhere on an attacker-controlled website could allow attackers to steal users’ data (credit card details, personal data, login credentials, including TOTP),” Tóth said. “The new technique is general and can be applied to other types of extensions.”
According to Click Studios, the credential manager is used by 29,000 customers and 370,000 security and IT professionals, spanning global enterprises, government agencies, financial institutions, and Fortune 500 companies.
The disclosure comes over four years after the company suffered a supply chain breach that enabled attackers to hijack the software’s update mechanism in order to drop malware capable of harvesting sensitive information from compromised systems.
Then in December 2022, Click Studios also resolved multiple security flaws in Passwordstate, including an authentication bypass for Passwordstate’s API (CVE-2022-3875, CVSS score: 9.1) that could have been exploited by an unauthenticated remote adversary to obtain a user’s plaintext passwords.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available