Netwrix
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Netwrix product.
RSS Feeds for Netwrix security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Netwrix products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Netwrix Sorted by Most Security Vulnerabilities since 2018
Known Exploited Netwrix Vulnerabilities
The following Netwrix vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Netwrix Auditor Insecure Object Deserialization Vulnerability |
Netwrix Auditor User Activity Video Recording component contains an insecure objection deserialization vulnerability that allows an unauthenticated, remote attacker to execute code as the NT AUTHORITY\SYSTEM user. Successful exploitation requires that the attacker to be able to reach port 9004/TCP, which is commonly blocked by standard enterprise firewalling. CVE-2022-31199 Exploit Probability: 5.9% |
July 11, 2023 |
By the Year
In 2026 there have been 0 vulnerabilities in Netwrix. Last year, in 2025 Netwrix had 14 security vulnerabilities published. Right now, Netwrix is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 14 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 9.80 |
| 2022 | 1 | 9.80 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 7.50 |
| 2019 | 1 | 0.00 |
It may take a day or so for new Netwrix vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Netwrix Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-54392 | Aug 07, 2025 |
Netwrix Directory Manager 11.x XSS in auth error data (before 11.1.25162.02)Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication error data, a different vulnerability than CVE-2025-47189. |
Directory Manager
|
| CVE-2025-54394 | Aug 07, 2025 |
Netwrix Directory Manager Credential Disclosure via Excel (pre-11.1.25162.02)Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 has Insufficiently Protected Credentials for requests to remote Excel resources. |
Directory Manager
|
| CVE-2025-54393 | Aug 07, 2025 |
Static Code Injection in Netwrix DirMgr <11.1.25162.02 (RCE)Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows Static Code Injection. Authenticated users can obtain administrative access. |
Directory Manager
|
| CVE-2025-54395 | Aug 07, 2025 |
Netwrix Directory Manager XSS in auth config before 11.1.25162.02Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication configuration data. |
Directory Manager
|
| CVE-2025-54396 | Aug 07, 2025 |
Netwrix DirMgr 11.0.0.0 SQLi for Auth Users (before 11.1.25162.02)Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows SQL Injection. Authenticated users can exploit this. |
Directory Manager
|
| CVE-2025-54397 | Aug 07, 2025 |
Netwrix Directory Manager 11.0.0.0 -Sensitive Info Leak (before 11.1.25162.02)Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 inserts Sensitive Information Into Sent Data to authenticated users. |
Directory Manager
|
| CVE-2025-47189 | Jul 17, 2025 |
XSS in Netwrix DirMgr 11.0.x before 11.1.25162.02Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication error data of certain user flows, a different vulnerability than CVE-2025-54392. |
Directory Manager
|
| CVE-2025-48748 | May 29, 2025 |
Netwrix DM v10.0.7784.0 Hard-coded Passwd CVE-2025-48748Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password. |
Directory Manager
|
| CVE-2025-47748 | May 28, 2025 |
Netwrix Dir Manager v11 hardcoded password vulnerability CVE-2025-47748Netwrix Directory Manager v.11.0.0.0 and before & after v.11.1.25134.03 contains a hardcoded password. |
Directory Manager
|
| CVE-2025-48747 | May 28, 2025 |
Netwrix Directory Manager <11.1.25134.03 Incorrect Permission AssignmentNetwrix Directory Manager (formerly Imanami GroupID) before and including v.11.0.0.0 and after v.11.1.25134.03 has Incorrect Permission Assignment for a Critical Resource. |
Directory Manager
|
| CVE-2025-48749 | May 28, 2025 |
Netwrix DM v11.0.0.0 SI Leak in Sent Data before 11.1.25134.03Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before & after v.11.1.25134.03 inserts Sensitive Information into Sent Data. |
Directory Manager
|
| CVE-2025-48746 | May 28, 2025 |
Netwrix Directory Manager v11.0.0.0-11.1.25134.03 Auth BypassNetwrix Directory Manager (formerly Imanami GroupID) v.11.0.0.0 and before, as well as after v.11.1.25134.03 lacks Authentication for a Critical Function. |
Directory Manager
|
| CVE-2025-26817 | Apr 03, 2025 |
Netwrix PasswordSecure 9.2.0.32454 OS Command InjectionNetwrix Password Secure 9.2.0.32454 allows OS command injection. |
Password Secure
|
| CVE-2025-26818 | Apr 03, 2025 |
Netwrix Password Secure 9.2 Command InjectionNetwrix Password Secure through 9.2 allows command injection. |
Password Secure
|
| CVE-2023-41264 | Nov 28, 2023 |
Netwrix Usercube <6.0.215 Auth Bypass via missing AuthorizedClientId/SecretNetwrix Usercube before 6.0.215, in certain misconfigured on-premises installations, allows authentication bypass on deployment endpoints, leading to privilege escalation. This only occurs if the configuration omits the required restSettings.AuthorizedClientId and restSettings.AuthorizedSecret fields (for the POST /api/Deployment/ExportConfiguration and POST /api/Deployment endpoints). |
Usercube
|
| CVE-2022-31199 | Nov 08, 2022 |
Netwrix Auditor RCE via USER ACTIVITY VIDEO RECORDB protocol abuseRemote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors. |
Auditor
|
| CVE-2020-15931 | Oct 20, 2020 |
Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a Domain Controller. |
Account Lockout Examiner
|
| CVE-2019-14969 | Aug 12, 2019 |
Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-foldersNetwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links. |
Auditor
|