CVE-2025-54394
📋 TL;DR
Netwrix Directory Manager versions 11.0.0.0 through 11.1.25162.02 insufficiently protect credentials when making requests to remote Excel resources. This vulnerability could allow attackers to intercept or access credentials used for these connections. Organizations using affected versions of Netwrix Directory Manager (formerly Imanami GroupID) are at risk.
💻 Affected Systems
- Netwrix Directory Manager (formerly Imanami GroupID)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept credentials used for remote Excel resource connections, potentially gaining unauthorized access to sensitive data or systems those credentials protect.
Likely Case
Credential exposure leading to unauthorized access to Excel resources or data exfiltration from those resources.
If Mitigated
Limited impact if proper network segmentation, credential rotation, and access controls are implemented for Excel resources.
🎯 Exploit Status
Exploitation requires access to the vulnerable Directory Manager instance and knowledge of its Excel resource configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.1.25162.02 or later
Vendor Advisory: https://community.netwrix.com/t/adv-2025-015-critical-vulnerabilities-in-netwrix-directory-manager-formerly-imanami-groupid-v11/17192
Restart Required: No
Instructions:
1. Download the latest version from Netwrix support portal. 2. Run the installer to upgrade. 3. Verify the installation completed successfully.
🔧 Temporary Workarounds
Disable Remote Excel Resource Connections
allTemporarily disable or remove configurations for remote Excel resources until patching can be completed.
Navigate to Directory Manager configuration and remove Excel resource connections
Implement Network Segmentation
allRestrict network access between Directory Manager and Excel resources to minimize exposure.
Configure firewall rules to limit connections to Excel resources
🧯 If You Can't Patch
- Implement strict network segmentation between Directory Manager and Excel resources
- Rotate all credentials used for Excel resource connections and implement credential monitoring
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Netwrix Directory Manager via Control Panel > Programs and Features or the application's About dialog.Check Version:
Check application version in Windows Programs and Features or run: wmic product where name="Netwrix Directory Manager" get versionVerify Fix Applied:
Verify the version is 11.1.25162.02 or later and test Excel resource connectivity.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to Excel resources
- Multiple failed connections to Excel resources from Directory Manager
Network Indicators:
- Unexpected network traffic between Directory Manager server and Excel resource locations
- Credential-related traffic in clear text
SIEM Query:
source="DirectoryManager" AND (event_type="Excel_Connection" OR credential_usage="Excel")