CVE-2025-48749
📋 TL;DR
Netwrix Directory Manager (formerly Imanami GroupID) versions 11.0.0.0 and earlier, and versions after 11.1.25134.03, expose sensitive information in transmitted data. This vulnerability allows attackers to intercept or access confidential data that should remain protected. Organizations using these vulnerable versions of Netwrix Directory Manager for Active Directory management are affected.
💻 Affected Systems
- Netwrix Directory Manager
- Imanami GroupID
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept sensitive Active Directory credentials, user data, or configuration details, leading to full domain compromise, lateral movement, and data exfiltration.
Likely Case
Unauthorized access to sensitive directory information, potentially enabling privilege escalation or reconnaissance for further attacks.
If Mitigated
With proper network segmentation and encryption, impact is limited to internal network exposure of sensitive data.
🎯 Exploit Status
Exploitation likely requires network access to intercept or access transmitted data. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 11.1.25134.03 (specifically this version fixes the issue)
Vendor Advisory: https://community.netwrix.com/t/adv-2025-014-critical-vulnerabilities-in-netwrix-directory-manager-formerly-imanami-groupid-v11/13951
Restart Required: Yes
Instructions:
1. Download the patch from Netwrix support portal. 2. Backup current configuration. 3. Apply the patch following Netwrix installation guide. 4. Restart the Netwrix Directory Manager service. 5. Verify the fix by checking version number.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Netwrix Directory Manager servers from untrusted networks and limit access to authorized administrative systems only.
Encryption Enforcement
allEnsure all communications with Netwrix Directory Manager use strong encryption (TLS 1.2+) to protect data in transit.
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with the vulnerable Netwrix Directory Manager instance.
- Deploy additional monitoring and alerting for suspicious access patterns or data exfiltration attempts from the affected system.
🔍 How to Verify
Check if Vulnerable:
Check the Netwrix Directory Manager version in the application interface or installation directory. Versions 11.0.0.0 and earlier, or versions after 11.1.25134.03 are vulnerable.Check Version:
Check the application interface or review the installation directory for version information. On Windows, you can check Programs and Features or the application's about dialog.Verify Fix Applied:
Confirm the version is exactly 11.1.25134.03. Test data transmission to ensure sensitive information is no longer exposed in clear text.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to Netwrix Directory Manager logs
- Failed authentication attempts followed by successful data access
- Large volumes of data being transmitted from the system
Network Indicators:
- Unencrypted or suspicious traffic to/from Netwrix Directory Manager ports
- Unexpected outbound connections from the Netwrix server
SIEM Query:
source="netwrix-directory-manager" AND (event_type="data_transmission" OR event_type="sensitive_access") | stats count by src_ip, dest_ip, user