Click Studios, the developer of the widely used Passwordstate enterprise password manager, has alerted customers to a high-severity authentication bypass vulnerability and is urging immediate upgrades. The flaw, which has no CVE yet, allows attackers to exploit a crafted URL on the Emergency Access page to bypass authentication and gain control of the Passwordstate administration console.
Passwordstate is a central password vault used by over 370,000 IT professionals across 29,000 organizations, including hospitals, insurers, and other healthcare providers. In such environments, the tool secures credentials for systems ranging from electronic health records (EHRs) to connected medical devices, making this vulnerability particularly concerning.
Source: clickstudios.com.au.
The company has released Passwordstate 9.9 Build 9972, which patches the flaw alongside another security issue. For organizations unable to update immediately, Click Studios recommends limiting Emergency Access to trusted IP addresses through system settings. However, the company cautions this is only a short-term partial fix and urges all customers to upgrade without delay.
Although details of the bug remain limited, Click Studios confirmed that exploitation requires only a carefully crafted URL input. Such access could allow attackers to gain full administrative privileges, opening the door to the theft of passwords, API keys, certificates, and other sensitive credentials stored in healthcare networks.
The warning recalls a 2021 supply chain compromise, when attackers inserted malware into Passwordstate updates, later confirmed to have harvested stored passwords and triggered phishing campaigns. That incident forced impacted organizations to reset every credential in their databases—an operationally costly exercise for any sector, but especially disruptive in healthcare environments.
For healthcare providers, the Passwordstate flaw poses a direct risk to patient privacy and operational resilience. Organizations should patch immediately, monitor for suspicious admin activity, and review password vault dependencies as part of broader Zero Trust and defense-in-depth strategies to safeguard critical medical systems and sensitive patient data.
