Delinea Secret Server customers should apply latest patches
Updated Customers of Delinea's Secret Server are being urged to upgrade their installations "immediately" after a researcher claimed a critical vulnerability could allow attackers to gain admin-level access.
Secret Server is a privileged access management (PAM) product from Delinea (formerly known as Thycotic and ThycoticCentrify), meaning admin-level access could provide miscreants with a way into account credentials of an organization's most senior staff. A keys to the kingdom kind of deal.
Researcher Johnny Yu discovered the vulnerability affecting both on-prem and cloud deployments of Secret Server, and published the details late last week after what he says was a lengthy and ultimately failed campaign to disclose the issue to Delinea.
Delinea acknowledged the "critical vulnerability" in the SOAP API on April 13 and fixed it in the latest version (11.7.000001), but didn't credit Yu by name with the discovery.
It also said there is no evidence to suggest the vulnerability, which hasn't been assigned a CVE, was exploited before the fix was released, and therefore all customer data is believed to be safe.
