CVE-2025-47189

Vulnerability

Overview

CVE-2025-47189 is a stored cross-site scripting (XSS) vulnerability in Netwrix Directory Manager (formerly Imanami GroupID) version 11.0.0.0 through 11.1.25162.01. The flaw exists in the handling of authentication error data within certain user flows, where user-supplied input is not properly neutralized before being stored and later rendered in a web page. This allows an attacker to inject malicious scripts that execute in the context of the affected application [1].

Exploitation

To exploit this vulnerability, an attacker must be able to influence the authentication error data that is processed by the application. This could be achieved by crafting a malicious authentication request that includes XSS payloads in fields that are later reflected in error messages. The attack does not require prior authentication, as the error handling occurs during the authentication process itself. The injected script would then execute when an administrator or other user views the error logs or the authentication error page [1].

Impact

Successful exploitation could allow an attacker to execute arbitrary JavaScript in the browser of a user viewing the affected error data. This could lead to session hijacking, defacement, or redirection to malicious sites. While the CVSS v3 base score is 6.1 (Medium), the advisory notes that this vulnerability is part of a set of critical issues that could compromise the Netwrix Directory Manager server and integrated identity stores [1].

Mitigation

Netwrix has released version 11.1.25162.02 which addresses this vulnerability. All customers running version 11.0.0.0 or later are advised to apply the update immediately. As of the advisory date, no active exploitation has been reported, but the vendor recommends prompt patching due to the potential for chaining with other vulnerabilities [1].