CVE-2025-54397
📋 TL;DR
Netwrix Directory Manager versions 11.0.0.0 through 11.1.25162.01 expose sensitive information in data sent to authenticated users. This vulnerability allows authenticated attackers to access confidential data they shouldn't normally see. Only organizations running vulnerable versions of Netwrix Directory Manager (formerly Imanami GroupID) are affected.
💻 Affected Systems
- Netwrix Directory Manager
- Imanami GroupID
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attackers could access sensitive directory information, credentials, or configuration data leading to privilege escalation or lateral movement within the network.
Likely Case
Authenticated users with limited permissions could access sensitive information about other users, groups, or directory objects beyond their authorized scope.
If Mitigated
With proper access controls and network segmentation, impact is limited to information disclosure within the application's data scope.
🎯 Exploit Status
Exploitation requires authenticated access to the Netwrix Directory Manager interface or API.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.1.25162.02
Vendor Advisory: https://community.netwrix.com/t/adv-2025-015-critical-vulnerabilities-in-netwrix-directory-manager-formerly-imanami-groupid-v11/17192
Restart Required: No
Instructions:
1. Download Netwrix Directory Manager version 11.1.25162.02 or later from Netwrix support portal. 2. Run the installer on the server where Netwrix Directory Manager is installed. 3. Follow the upgrade wizard prompts. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict Access to Netwrix Directory Manager
allLimit which users can authenticate to Netwrix Directory Manager to reduce potential attackers.
Network Segmentation
allPlace Netwrix Directory Manager on isolated network segments with strict access controls.
🧯 If You Can't Patch
- Implement strict access controls and monitor all authenticated sessions to Netwrix Directory Manager
- Regularly audit user permissions and review logs for unusual access patterns to sensitive data
🔍 How to Verify
Check if Vulnerable:
Check the Netwrix Directory Manager version in the application interface under Help > About or via the Windows Programs and Features control panel.Check Version:
Check Windows Programs and Features or run: wmic product where name='Netwrix Directory Manager' get versionVerify Fix Applied:
Verify the version shows 11.1.25162.02 or higher after patching. Test that authenticated users can only access data within their authorized scope.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of data access by authenticated users
- Multiple requests for sensitive data fields by single users
- Access to data outside normal user scope
Network Indicators:
- Increased data volume in responses to authenticated users
- Patterns of requests targeting sensitive data endpoints
SIEM Query:
source="netwrix-directory-manager" AND (event_type="data_access" OR event_type="api_call") AND (user_scope_violation=true OR sensitive_data_access=true)