CVE-2025-26817

Published: Apr 3, 2025Modified: May 28, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Netwrix Password Secure 9.2.0.32454 allows OS command injection.

Affected (1)

Products: Netwrix: Password Secure

1 product

Password Secure

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Netwrix Password Secure	Before 9.2.1

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

https://helpcenter.netwrix.com/bundle/PasswordSecure_9.2_ReleaseNotes/resource/Netwrix_PasswordSecure_9.2_BugFixList.pdf

Source: cve@mitre.org

Release Notes

https://security.netwrix.com/advisories/adv-2025-009

Source: cve@mitre.org

Vendor Advisory

https://www.8com.de/cyber-security-blog/authenticated-remote-code-execution-in-netwrix-password-secure-cve-2025-26817

Source: cve@mitre.org

Timeline

No history available yet.