Login Sign Up

CVE-2023-27706

7.1 HIGH

📋 TL;DR

The Bitwarden Windows desktop application versions before 2023.4.0 store biometric authentication keys in Windows Credential Manager without proper isolation, allowing other local unprivileged processes to access them. This affects Windows users of Bitwarden desktop who use biometric authentication features.

💻 Affected Systems

Products:
  • Bitwarden Desktop Application
Versions: All versions prior to v2023.4.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows desktop versions using biometric authentication features.

📦 What is this software?

Bitwarden by Bitwarden

View all CVEs affecting Bitwarden →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attackers could extract biometric keys and potentially decrypt or access stored passwords and sensitive data in Bitwarden vaults.

🟠

Likely Case

Malware or other local processes could access biometric authentication keys, potentially compromising the password manager's security.

🟢

If Mitigated

With proper access controls and updated software, biometric keys are properly isolated and protected from unauthorized access.

🌐 Internet-Facing: LOW - This is a local privilege issue, not directly exploitable over the internet.
🏢 Internal Only: HIGH - Local attackers or malware on the same system can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to the system and knowledge of Windows Credential Manager access techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2023.4.0 and later

Vendor Advisory: https://github.com/bitwarden/clients

Restart Required: Yes

Instructions:

1. Open Bitwarden desktop application. 2. Go to Settings > About. 3. Check current version. 4. If below v2023.4.0, download and install latest version from official Bitwarden website. 5. Restart the application.

🔧 Temporary Workarounds

Disable Biometric Authentication

windows

Temporarily disable biometric authentication features until patched

Open Bitwarden > Settings > Security > Disable 'Unlock with biometrics'

Use Windows Hello Alternative

windows

Use Windows Hello PIN or password instead of biometric authentication

Open Bitwarden > Settings > Security > Change unlock method to PIN or password

🧯 If You Can't Patch

  • Disable biometric authentication and use master password only
  • Implement strict local access controls and endpoint security monitoring

🔍 How to Verify

Check if Vulnerable:

Check Bitwarden version in Settings > About. If version is below 2023.4.0, system is vulnerable.

Check Version:

In Bitwarden: Settings > About shows current version

Verify Fix Applied:

Verify version is 2023.4.0 or higher in Settings > About, and biometric authentication still functions properly.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to Windows Credential Manager
  • Multiple failed biometric authentication attempts

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

Windows Event ID 4660 or 4663 showing access to Credential Manager by non-Bitwarden processes

📊 Metadata

CVE ID: CVE-2023-27706
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-312
Published: June 9, 2023
Last Updated: January 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27706, you might also want to check these:

CVE-2022-43757 9.9

CVE-2022-43757 is a cleartext storage vulnerability in SUSE Rancher that allows users on managed clu...

Same vulnerability type (CWE-312)
CVE-2021-29954 9.8

This vulnerability in Hubs Cloud's Reticulum software allowed attackers to use the proxy functionali...

Same vulnerability type (CWE-312)
CVE-2022-26148 9.8

This vulnerability exposes Zabbix account passwords in Grafana's HTML source code when integrated wi...

Same vulnerability type (CWE-312)