Login Sign Up

CVE-2020-27020

7.5 HIGH

📋 TL;DR

Kaspersky Password Manager's password generator had cryptographic weaknesses that could allow attackers to predict generated passwords if they knew certain information like generation time. This affects users who relied on the built-in password generator feature in vulnerable versions.

💻 Affected Systems

Products:
  • Kaspersky Password Manager
Versions: Versions prior to 9.1.0.767
Operating Systems: Windows, macOS, Android, iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects passwords generated using the built-in password generator feature.

📦 What is this software?

Password Manager by Kaspersky

View all CVEs affecting Password Manager →

Password Manager by Kaspersky

View all CVEs affecting Password Manager →

Password Manager by Kaspersky

View all CVEs affecting Password Manager →

Password Manager by Kaspersky

View all CVEs affecting Password Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could compromise accounts protected by predictable passwords, leading to unauthorized access to sensitive systems and data.

🟠

Likely Case

Targeted attacks against high-value accounts where attackers can gather generation timing information through other means.

🟢

If Mitigated

Limited impact if users have changed passwords generated during vulnerable period or use multi-factor authentication.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires knowledge of password generation time and access to generated passwords.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.1.0.767 and later

Vendor Advisory: https://support.kaspersky.com/general/vulnerability.aspx?el=12430#270421

Restart Required: Yes

Instructions:

1. Open Kaspersky Password Manager. 2. Check for updates in settings. 3. Install update to version 9.1.0.767 or later. 4. Restart the application.

🔧 Temporary Workarounds

Use external password generator

all

Generate passwords using a different, cryptographically secure password manager or generator until patched.

Manually create strong passwords

all

Create passwords manually using random character combinations of sufficient length and complexity.

🧯 If You Can't Patch

  • Change all passwords generated by Kaspersky Password Manager during vulnerable period
  • Enable multi-factor authentication on all accounts using affected passwords

🔍 How to Verify

Check if Vulnerable:

Check Kaspersky Password Manager version in application settings or About section.

Check Version:

Check application settings or About dialog in Kaspersky Password Manager.

Verify Fix Applied:

Confirm version is 9.1.0.767 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual login attempts to accounts using Kaspersky-generated passwords

Network Indicators:

  • Failed authentication attempts followed by successful logins

SIEM Query:

Authentication logs showing pattern of failed then successful logins for accounts using password manager

📊 Metadata

CVE ID: CVE-2020-27020
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-326
Published: May 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27020, you might also want to check these:

CVE-2021-42216 9.8

CVE-2021-42216 is a critical cryptographic vulnerability in AnonAddy email forwarding service that a...

Same vulnerability type (CWE-326)
CVE-2020-14517 9.8

CVE-2020-14517 is a critical vulnerability in CodeMeter's protocol encryption that can be easily bro...

Same vulnerability type (CWE-326)
CVE-2025-7398 9.1

Brocade ASCG versions before 3.3.0 use medium-strength cryptography algorithms on internal ports 900...

Same vulnerability type (CWE-326)