Kiosk Escape Privilege Escalation in One Identity Password Manager Secure Password Extension


Kiosk Escape Privilege Escalation


One Identity Password Manager Secure Password Extension

Vulnerable Version


Fixed Version


CVE Number







Stefan Schweighofer, Constantin Schieber-Knöbl (Office Vienna), Armin Weihbold (Office Linz) | SEC Consult Vulnerability Lab

The Password Manager Extension from One Identity can be used to perform two different kiosk escapes on the lock screen of a Windows client. These two escapes allow an attacker to execute commands with the highest permissions of a user with the SYSTEM role.

Vendor description

"One Identity delivers solutions that help customers strengthen operational efficiency, reduce risk surface, control costs and enhance their cybersecurity. Our Unified Identity Platform brings together best-in-class software to enable organizations to shift from a fragmented identity strategy to a holistic approach."


Business recommendation

The vendor provides a patch version 5.13.1 which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

The Password Manager Application by One Identity enables users to reset their Active Directory passwords on the login screen of a Windows client, with the Secure Password Extension. The Secure Password Manager Extension launches a Chromium based browser in Kiosk mode to provide the reset functionality.

Due to application-specific functionalities the Password Manager Extension suffers from two exploitable Kiosk Escape vulnerabilities which allow a local, pre-authenticated attacker to escalate the privileges to SYSTEM.

1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)

The Password Manager Extension uses Google ReCAPTCHA, which enables an attacker to escape the Kiosk Mode of the browser and gain "nt authority\system" permissions on the login screen of the targeted machine. This is possible due to the fact that Google ReCAPTCHA links to external websites, which open in a new browser window and enable an attacker to navigate to other external websites.

2) Password Manager Kiosk Escape after Session Timeout

The Password Manager application provides a link to a help page of One Identity. This link references an external site and is therefore hidden in the Kiosk Mode browser of the Password Manager Extension. If the Password Manager Extension website is loaded after an active session expires the link to the external One Identity websites gets shown. This enables an attacker to escape the Kiosk Mode of the browser and gain "nt authority\system" permissions on the login screen of the targeted machine.

Proof of concept

1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)

An attacker requires access to a locked machine, where the Password Manger Extension is installed, either via physical (pre-auth) or remote (RDP) access. From the login screen the Password Manger Extension Kiosk mode browser can be launched.

Since Google ReCAPTCHA is used on the Password Manger website the Google ReCAPTCHA icon is also shown on the website and provides a link to an external website via the "Privacy" button of the Google ReCAPTCHA field.

2) Password Manager Kiosk Escape after Session Timeout

An attacker requires access to a username to login to either the Password Manager website or a logged in user, which leaves the session open until the session expires. Since the Password Manager uses Active Directory credentials, the username from the Windows login screen can be used to log into the website. For this attack the session of a logged-in user has to expire.

After the session expiration the Password Manager website gets reloaded and displays a help icon that is usually hidden. The help icon links to the external One Identity website, from which it is possible to navigate to the Google Search website using the Sign In option of the One Identity website. The Sign In page has the option to login with a Facebook account and information about cookies is displayed on this page, which links to a Google Chrome website.

For both vulnerability 1 and 2, an attacker can use the Google Search website and trigger the "search by image" feature. This "search by image" feature can be used to trigger an upload, which then opens a file explorer window for file selection.

The file explorer window makes it possible to input "cmd" in the path field of the file explorer to open a command prompt. The created command prompt is executed with highest "nt authority\system" permissions.

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • 5.13

It is assumed that all previous versions are affected as well.

Vendor contact timeline

2023-11-06: Contacting vendor through vendor security contact form
2023-11-07: Vendor is able to reproduce both escapes, internal discussion with product team needed.
2023-11-14: Vendor notifies us that the product team fixed the vulnerabilities and will release an update soon. Asking for CVE numbers.
2023-11-15: Vendor will not assign CVE numbers, we are going to request them. Patch release scheduled for 17th or the week after.
2023-11-17: Receiving one CVE number from MITRE, asking about the second one; no response.
2023-11-20: Asking for status update as no patch was released on 17th.
2023-11-21: Patch was postponed to 1st December, setting our release date to 6th December.
2023-12-01: Vendor releases fixed version v5.13.1.
2023-12-06: Coordinated release of security advisory.


The vendor provides a patch which can be downloaded from

The release notes of the vendor can be found here:



Advisory URL

EOF S. Schweighofer, C. Schieber-Knöbl, A. Weihbold / @2023


Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices