CVE-2023-48654 is a privilege escalation and kiosk escape vulnerability affecting One Identity Password Manager versions prior to 5.13.1. This product facilitates Active Directory password resets directly from the Windows login screen by launching a Chromium-based browser in Kiosk mode, which is intended to restrict user actions to the password reset interface. However, the vulnerability allows an attacker to bypass these restrictions by exploiting the embedded Google ReCAPTCHA privacy link. The attacker clicks the privacy link, which opens a new browser window outside the kiosk constraints. From there, the attacker navigates to a website that supports file uploads, which triggers the Windows file explorer interface. Using this interface, the attacker can locate and execute cmd.exe, launching a command prompt with NT AUTHORITY\SYSTEM privileges. This effectively grants full administrative control over the affected Windows client without requiring authentication or user interaction beyond the initial access to the login screen. The lack of a CVSS score indicates this is a newly published vulnerability with no public exploit code yet. The attack chain leverages the interaction between the embedded Chromium browser, external web content, and Windows file system access to break out of the kiosk sandbox. This vulnerability could be exploited by anyone with physical or remote access to the login screen, potentially allowing lateral movement and full domain compromise in enterprise environments.

The impact of CVE-2023-48654 on European organizations is significant due to the potential for full system compromise on endpoints used for Active Directory password resets. Attackers exploiting this vulnerability can gain SYSTEM-level access on Windows clients, bypassing authentication controls and potentially moving laterally within corporate networks. This threatens the confidentiality, integrity, and availability of critical systems and sensitive data. Organizations relying on One Identity Password Manager for secure password reset workflows may see their endpoint security undermined, increasing the risk of ransomware, data breaches, and persistent threats. The vulnerability is particularly dangerous in environments with high-value targets such as financial institutions, government agencies, and critical infrastructure operators prevalent in Europe. The ease of exploitation—requiring only access to the login screen—means that compromised or malicious insiders, or attackers with physical or remote access to endpoints, could leverage this flaw to escalate privileges and compromise entire Active Directory domains. This could disrupt business operations, cause regulatory compliance failures under GDPR, and damage organizational reputation.

To mitigate CVE-2023-48654, European organizations should immediately upgrade One Identity Password Manager to version 5.13.1 or later once available. Until patches are applied, restrict physical and remote access to Windows login screens where the vulnerable password manager is deployed. Implement strict network segmentation to limit exposure of endpoints running the vulnerable software. Disable or restrict access to external web content within the password reset kiosk browser, especially links that open new windows or allow file uploads. Employ application whitelisting and endpoint detection and response (EDR) solutions to monitor and block unauthorized execution of cmd.exe or other system utilities. Review and harden Active Directory password reset policies to minimize reliance on kiosk mode password resets. Conduct user training to recognize suspicious activity at login screens. Finally, monitor logs for unusual kiosk browser behavior or unexpected command prompt launches. Coordinated incident response plans should be prepared in case of exploitation.