CVE-2025-47748
📋 TL;DR
Netwrix Directory Manager versions 11.0.0.0 and earlier, plus versions after 11.1.25134.03, contain a hardcoded password vulnerability (CWE-259). This allows attackers with access to the system to potentially gain unauthorized administrative privileges. Organizations using affected versions of Netwrix Directory Manager are at risk.
💻 Affected Systems
- Netwrix Directory Manager (formerly Imanami GroupID)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the directory management system, allowing attackers to modify user permissions, create backdoors, and potentially pivot to other systems in the domain.
Likely Case
Unauthorized administrative access to the Directory Manager application, enabling configuration changes, privilege escalation, and data exfiltration.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized access to the management interface.
🎯 Exploit Status
Exploitation requires access to the system where the hardcoded credentials can be discovered and used. No authentication bypass is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 11.1.25134.03
Vendor Advisory: https://community.netwrix.com/t/adv-2025-014-critical-vulnerabilities-in-netwrix-directory-manager-formerly-imanami-groupid-v11/13951
Restart Required: Yes
Instructions:
1. Download the patched version 11.1.25134.03 from Netwrix. 2. Backup current configuration and data. 3. Run the installer to upgrade. 4. Restart the Directory Manager service. 5. Verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to the Directory Manager management interface to authorized administrative networks only.
Access Control Lists
windowsImplement strict firewall rules and Windows Firewall policies to limit source IP addresses that can connect to the Directory Manager service.
netsh advfirewall firewall add rule name="Restrict Directory Manager" dir=in action=allow protocol=TCP localport=<port> remoteip=<authorized_ips>
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Directory Manager server from non-administrative networks.
- Monitor authentication logs for unauthorized access attempts and implement alerting for suspicious login patterns.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Netwrix Directory Manager via the application interface or Windows Programs and Features. If version is 11.0.0.0 or earlier, or any version after 11.1.25134.03, the system is vulnerable.Check Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Netwrix Directory Manager*"} | Select-Object Name, VersionVerify Fix Applied:
Confirm the installed version is exactly 11.1.25134.03. Test administrative functionality to ensure the patch didn't break core features.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to the Directory Manager service
- Configuration changes made from unexpected IP addresses or user accounts
- Failed login attempts followed by successful logins from the same source
Network Indicators:
- Unexpected network connections to the Directory Manager service port from unauthorized IP ranges
- Traffic patterns indicating brute force attempts
SIEM Query:
source="directory_manager.log" (event_type="authentication" AND (result="success" AND src_ip NOT IN [authorized_admin_ips]))