CVE-2025-48748
📋 TL;DR
Netwrix Directory Manager (formerly Imanami GroupID) versions through 10.0.7784.0 contain a hard-coded password vulnerability. This allows attackers to gain unauthorized access to the system using the embedded credentials. All organizations running affected versions are vulnerable.
💻 Affected Systems
- Netwrix Directory Manager
- Imanami GroupID
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the directory management system, allowing attackers to modify user accounts, groups, and permissions across the entire Active Directory environment.
Likely Case
Unauthorized access to the directory management console, enabling attackers to create/delete accounts, escalate privileges, and exfiltrate sensitive directory data.
If Mitigated
Limited impact if system is isolated, monitored, and access is restricted, though the hard-coded credential remains a persistent backdoor.
🎯 Exploit Status
Exploitation requires only knowledge of the hard-coded password, which may be discovered through reverse engineering or leaked information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 10.0.7785.0 or later
Vendor Advisory: https://community.netwrix.com/t/adv-2025-013-hard-coded-password-in-netwrix-directory-manager-formerly-imanami-groupid-v10-and-earlier/13945
Restart Required: Yes
Instructions:
1. Download the latest version from Netwrix support portal. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the Netwrix Directory Manager service. 5. Verify the new version is running.
🔧 Temporary Workarounds
Network Isolation
windowsRestrict network access to the management interface to only trusted administrative networks.
Use Windows Firewall or network ACLs to block all inbound connections except from authorized management IPs
Credential Rotation
windowsChange the hard-coded password if the system allows password modification (though this may break functionality).
Check Netwrix documentation for password change procedures
🧯 If You Can't Patch
- Immediately isolate the system from all non-essential networks and implement strict network segmentation
- Implement enhanced monitoring and alerting for any access to the directory management interface
🔍 How to Verify
Check if Vulnerable:
Check the installed version in Control Panel > Programs and Features. If version is 10.0.7784.0 or earlier, the system is vulnerable.Check Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Netwrix Directory Manager*'} | Select-Object Name, VersionVerify Fix Applied:
Verify the version is 10.0.7785.0 or later and attempt to authenticate with previously known hard-coded credentials (should fail).📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login with specific username patterns
- Unusual administrative actions from non-standard accounts
Network Indicators:
- Authentication requests to the management interface from unexpected source IPs
- Burst of directory modification requests
SIEM Query:
source="netwrix" AND (event_type="authentication" AND result="success") | stats count by user, src_ip