Addressing Recent Vulnerabilities and Our Commitment to Security

July 15, 2025 Peter Beardmore

At CyberArk, the trust and security of our customers are at the heart of everything we do. Today, July 15th, we are addressing the publication of several Common Vulnerabilities and Exposures (CVEs) related to CyberArk Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur Open Source (OSS). We regret the challenges this situation may pose to our customers and reaffirm our commitment to supporting them through the resolution process. We encourage our customers to begin the remediation process as soon as possible.

Here are the CVEs that have been published with the National Vulnerability Database:

CVE-2025-49827 [CVSS 9.1, Critical]: Bypass of IAM Authenticator in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS
CVE-2025-49831 [CVSS 9.1, Critical]: IAM Authenticator Bypass via Mis-configured Network Device in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS
CVE-2025-49828 [CVSS 8.6, High]: Remote Code Execution in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS
CVE-2025-49830 [CVSS 7.1, High]: Path traversal and file disclosure in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS
CVE-2025-49829 [CVSS 6.0, Moderate]: Missing validations in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS

We take these vulnerabilities seriously and have acted swiftly and responsibly to address them. As soon as we were informed of these issues, we began the work of verifying the vulnerabilities, developing patches, and working closely with the reporting researcher to ensure a thorough and effective resolution. This collaborative approach underscores our dedication to transparency and responsible disclosure, as well as our commitment to maintaining the highest standards of security.

Background:

We were informed of these issues by Cyata, an external cybersecurity company that conducted independent research involving the products. The discovery was made by Yarden Porat of Cyata and CyberArk immediately began to investigate and address the issue.
We shared an email security bulletin with CyberArk customers, including links to applicable patches to CyberArk Secrets Manager, Self Hosted. We have also made attempts to directly reach and advise customers through support, sales, and partner channels. Our support and customer success teams are continuing to assist customers with upgrades.
Today we’ve made the details of the vulnerabilities public via the National Vulnerability Database, with the CVEs listed above and have published fixes for Conjur OSS.

We understand the additional risk and operational disruption this issue may cause, and we apologize for the inconvenience to our customers. Our teams have been working tirelessly to notify affected customers, provide guidance, and assist with the patching process. Fixes are now available for download on CyberArk Marketplace for Secrets Manager, Self Hosted (formerly Conjur Enterprise) customers and on GitHub and DockerHub for the Open Source version.

As far as we know, these vulnerabilities have not been exploited in the wild, but we strongly encourage all users of the affected software to deploy the newly released patches as soon as possible. Our customers’ security is our top priority, and we are here to support them every step of the way.

We remain committed to continuous improvement and are conducting a thorough post-mortem analysis. We have already begun integrating lessons learned into our processes to prevent similar issues in the future.

“To our customers, partners, and the broader community: thank you for your trust and understanding as we navigate this challenge together,” affirmed Kurt Sand, GM of Machine Identity Security at CyberArk. “We remain steadfast in our mission to protect your most critical assets and will continue to prioritize your security above all else. To that end, we also thank Cyata for working closely with us to help accelerate resolution for our customers.”

If you have any questions or need assistance, please don’t hesitate to reach out to our support team. We are here to help. Submit a Case.

Peter Beardmore is Sr. Director of Product Marketing at CyberArk.

No Previous Articles

TLS Lifecycles are Shrinking: 5 Questions CISOs Must Ask

5 must-ask questions for CISOs as their organization's prepare for 47-day TLS certificate lifespans and the...

Up Your Security I.Q. by Checking Out Our Collection of Curated Resources.

Addressing Recent Vulnerabilities and Our Commitment to Security

Next Article

STAY IN TOUCH

Addressing Recent Vulnerabilities and Our Commitment to Security

Next Article

Recommended for You

5 must-ask questions for CISOs as their organization's prepare for 47-day TLS certificate lifespans and the future of certificate management and automation.

Frost & Sullivan applies a rigorous analytical process to evaluate multiple nominees for each Award category before determining the final Award recipient.

The CA/Browser Forum has approved sweeping changes to the TLS certificate lifecycle, reducing the maximum validity for public certificates to just 47 days, down from today’s 398.

Discover how 47-day TLS certificates are reshaping certificate management. Security expert Ryan Hurst explains how to adapt, automate, and secure digital trust.

In this session, attendees will review the progression of quantum computing along with industry recommendations to help agencies prepare for and transition to post quantum cryptography.

Have you ever been on a tight deadline, and suddenly, your organization’s core services go dark because a TLS certificate expired without warning? It’s a nightmare scenario no team wants to face....

Imagine walking into your next board meeting and saying, “We need to secure all the non-humans.” You can probably picture the reactions: furrowed brows, confused glances—not exactly a solid...

Join our webinar to optimize PKI for speed, security, and reliability—just like the legendary Millennium Falcon. May the keys be with you!

Modern workloads operate across a complex landscape—cloud platforms, virtualized environments, data centers and SaaS applications. Each requires its own authentication method, from static...

Introduction The term “Agentic AI” has recently gained significant attention. Agentic systems are set to fulfill the promise of Generative AI—revolutionizing our lives in unprecedented ways. While...

CyberArk Code Sign Manager secures enterprise code signing processes by providing centralized and secure key storage along with role-based policy enforcement.

CyberArk Certificate Manager, SaaS allows security teams, application owners and developers to effectively keep up with the rapid growth of TLS machine identities to prevent outages, while at the sam

In this guide, learn how integrating Istio service mesh with Kubernetes helps build robust environments and ensure the safety of certificates.

Explore how TLS Protect for Kubernetes works with cert-manager to help Infosec teams with policy enforcement and governance to Kubernetes clusters.

Unseen certificate outages affect our businesses and our lives. Learn about disruptions from expired certificates and how to avoid them.

Secure Shell (SSH) is used to secure a wide selection of machine identities. But organizations need a better understanding of potential vulnerabilities.

Discover how cloud native complexity impacts security in 2024. Learn key trends, challenges and solutions in machine identity protection.

Explore CyberArk Zero Touch PKI's modern, fully managed service for simplifying private PKI and X.509 certificates.

Enhance Kubernetes reliability and security with CyberArk Enterprise Support for cert-manager—expert-backed support for multi-cluster deployments.

This solution brief explains how CyberArk provides FIPS 140-2 compliance for cert-manager—to help ensure high standards for cryptographic security.