Click Studios Patches Critical Passwordstate Authentication Bypass Vulnerability in Emergency Access Page

Click Studios, the developer of the enterprise-focused password management solution Passwordstate, has announced the release of security updates to address an authentication bypass vulnerability in its software. This issue, which has not yet been assigned a CVE identifier, has been resolved in Passwordstate 9.9 (Build 9972), released on August 28, 2025. The Australian company indicated that it fixed a “potential Authentication Bypass when using a carefully crafted URL against the core Passwordstate Products’ Emergency Access page.” Additionally, the latest version includes enhanced protections against potential clickjacking attacks targeting its browser extension, particularly in light of findings from security researcher Marek Tóth, who highlighted vulnerabilities in several password manager browser add-ons.

According to Click Studios, Passwordstate is utilised by 29,000 customers and 370,000 security and IT professionals across global enterprises, government agencies, financial institutions, and Fortune 500 companies. This disclosure follows a significant supply chain breach over four years ago, which allowed attackers to hijack the software’s update mechanism and deploy malware to harvest sensitive information. In December 2022, Click Studios also addressed multiple security flaws in Passwordstate, including an authentication bypass for the software’s API (CVE-2022-3875, CVSS score: 9.1), which could have been exploited by unauthenticated remote adversaries to access users’ plaintext passwords. 

Categories: Security Vulnerabilities, Software Updates, Password Management Solutions 

Tags: Click Studios, Passwordstate, Authentication Bypass, Security Updates, Vulnerability, Clickjacking, Browser Extension, Credential Manager, Supply Chain Breach, API Flaws