CVE-2023-36266 is a vulnerability identified in Keeper Password Manager for Desktop version 16.10.2 and the KeeperFill Browser Extensions version 16.5.4, both of which were addressed in version 17.2. The issue allows local attackers to access sensitive information due to plaintext password storage in memory after the user has logged in. This sensitive data may persist in memory even after the user logs out. The vulnerability arises because passwords remain in plaintext in memory, making them accessible to an attacker who can read arbitrary memory locations on the local machine. The vendor disputes the severity of this vulnerability, arguing that the information is inherently accessible during an active logged-in session if an attacker can read memory arbitrarily, and that the persistence of data after logout is due to web browser memory management limitations rather than Keeper's technology itself. Despite this, the vulnerability presents a risk because it exposes plaintext passwords in memory, which could be extracted by malware or a local attacker with sufficient privileges. The lack of a CVSS score means the severity must be assessed based on the nature of the vulnerability, its impact, and exploitation complexity. The vulnerability does not require remote exploitation or user interaction beyond the user being logged in, but it does require local access to the system memory, which limits the attack vector to local or malware-based threats. No known exploits are currently reported in the wild.

For European organizations, this vulnerability poses a significant risk particularly in environments where endpoint security is not tightly controlled. If an attacker gains local access to a device—either physically or through malware—they could extract plaintext passwords from memory, potentially compromising multiple accounts managed by Keeper Password Manager. This could lead to unauthorized access to corporate resources, data breaches, and lateral movement within networks. The persistence of sensitive data in memory after logout increases the window of opportunity for attackers to harvest credentials. Organizations with high compliance requirements such as GDPR must consider the risk of credential exposure and the resulting potential for data breaches. The impact is especially critical for sectors with sensitive data such as finance, healthcare, and government institutions. However, the requirement for local access or malware presence somewhat limits the scope compared to remote vulnerabilities, but it still represents a serious threat in environments where endpoint compromise is a realistic scenario.

European organizations should ensure that all Keeper Password Manager desktop clients and browser extensions are updated to version 17.2 or later, where this vulnerability is fixed. Beyond patching, organizations should implement strict endpoint security controls including application whitelisting, anti-malware solutions with memory scanning capabilities, and least privilege policies to limit local access rights. Employing hardware-based security features such as Trusted Platform Modules (TPM) and enabling full disk encryption can reduce the risk of memory scraping attacks. Regularly monitoring for unusual local access patterns and employing endpoint detection and response (EDR) tools can help detect exploitation attempts. Additionally, organizations should educate users about the risks of local device compromise and enforce policies that prevent installation of unauthorized software. For browser environments, limiting the number of extensions and ensuring browsers are kept up to date can mitigate memory management issues that contribute to data persistence. Finally, consider using multi-factor authentication (MFA) to reduce the impact of credential exposure.