CyberArk: CA25-33 – Possible DoS attack by locking application users
Issued: October 8, 2025
Updated: N/A
Version: 1.0
Severity: High
CVSS Score: 8.2
Third-party publication / CVE: N/A
Impact: Possible DoS attack by locking application users
Affected products and versions:
Vault Self-Hosted – All versions
* This Security Bulletin applies only to the listed affected products. If this issue also affects another CyberArk product, it will be addressed separately in accordance with CyberArk’s Product Vulnerability Management Policy.
** Relates only to versions that are within their development life cycle. Please refer to our End of Life policy for details.
Resolution
Upgrade to a patch version from the following table by downloading the patch from the respective link and following the instructions in our online documentation.
If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility documentation.
Installed Version:
Vault 14.6 and its patches prior to 14.6.2 – Patch version 14.6.2 – https://www.cyberark.com/CA25-33-VaultSH-14.6.2 – docs
Vault 14.2 and its patches prior to 14.2.4 – Patch version 14.2.4 – https://www.cyberark.com/CA25-33-VaultSH-14.2.4 – docs
Vault 14.0 and its patches prior to 14.0.5 – Patch version 14.0.5 – https://www.cyberark.com/CA25-33-VaultSH-14.0.5 – docs
CyberArk recommends enforcing strong password complexity requirements for all system accounts, including both human and non-human users. For detailed settings, please refer to the passparm.ini configuration file.
PAM on Cloud customers: CyberArk will not release AWS AMIs and Azure VM Images. Customers should run the upgrade process on the provided images following deployment.
Temporary mitigation
There is no temporary mitigation available for this security bulletin.
Exploited in the wild in a CyberArk environment
Not to the best of CyberArk’s knowledge.
Technical FAQ
Do I need to upgrade my Disaster Recovery Vault, PAReplicate, and EVD as well?
Disaster Recovery Vault and EVD versions (and patch version) need to be aligned with the Vault’s patch version.
PAReplicate should be the same minor version as the Vault (for example, PAReplicate 14.2 is compatible with Vault 14.2.2).
As CyberArk receives questions related to this Security Bulletin, answers will be added to the Technical FAQ article. To stay informed of updates, open the FAQ article and click Follow to receive notifications when new questions and answers are published.
CyberArk: CA25-32 – Potential disclosure of sensitive information in Central Credential Provider (CCP).
Issued: October 8, 2025
Updated: N/A
Version: 1.0
Severity: High
CVSS Score: 7.1
Third-party publication / CVE: N/A
Impact: Potential disclosure of sensitive information in Central Credential Provider (CCP).
Affected products and versions:
Central Credential Provider (CCP) – Versions 14.0 and 14.2 – Versions prior to 14.0 are not affected
* This Security Bulletin applies only to the listed affected products. If this issue also affects another CyberArk product, it will be addressed separately in accordance with CyberArk’s Product Vulnerability Management Policy.
** Relates only to versions that are within their development life cycle. Refer to our End of Life policy for details.
Resolution
Upgrade to a patch version from the following table by downloading the patch from the respective link and following the instructions in our online documentation.
If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility documentation.
Installed Version:
14.0, 14.2, and their patches prior to 14.2.4 – Patch Version 14.2.4 – https://www.cyberark.com/CA25-32-CCP-14.2.4 – Upgrade the Central Credential Provider(CCP) Note: Ensure that you upgrade the CCP’s Credential Provider (CP).
Temporary mitigation
There is no temporary mitigation available for this security bulletin.
Exploited in the wild in a CyberArk environment
Not to the best of CyberArk’s knowledge.
Technical FAQ
Are Credential Provider (CP) and Application Server Credential Provider (ASCP) also affected by this issue?
Yes. Credential Provider versions 14.0 and 14.2, including all patches prior to version 14.2.4, are affected by this issue. However, due to the limited attack vector, it is scored as medium severity and does not merit a bulletin announcement. The Application Server Credential Provider relies on the Credential Provider and is therefore also impacted by this issue (at medium severity).
A fix is available in Credential Provider version 14.2.4: https://www.cyberark.com/CA25-32- CP-14.2.4.
As CyberArk receives questions related to this Security Bulletin, answers will be added to the Technical FAQ article. To stay informed of updates, open the FAQ article and click Follow to receive notifications when new questions and answers are published.
SailPoint Introduces: Agent Identity Security
Why This Matters
As AI agents become integral members of the workforce, organizations need a way to govern and secure them just like human identities.
Agent Identity Security helps enterprises:
- Discover, secure, and govern AI agents under one unified control plane
- Assign ownership and ensure accountability for every agent
- Prevent over-permissioning, misalignment, and regulatory exposure
What Has Changed
Agent Identity Security extends SailPoint’s Identity Security Cloud to include AI agents alongside human users.
Key capabilities include:
- AI Agent Aggregation & Identity Creation – Connect directly to AWS, Azure, and GCP to onboard AI agents with enriched identity context
- Ownership & Succession Planning – Assign human owners to agents and maintain continuous oversight
- Certification & Review – Recertify agent access regularly and revoke inappropriate permissions
- Tool Governance – Apply consistent policies to agent service accounts from creation through retirement
- Audit & Traceability – Maintain full audit trails and certification records for compliance and investigations
Available for: Business and Business+ customers as an add-on capability
CyberArk: Database discovery and automated onboarding
We’re excited to announce a new capability in our discovery SaaS, which extends support to databases. This enhancement enables teams to seamlessly uncover, secure, and onboard database accounts with greater efficiency. Security teams can now accelerate onboarding at scale, reduce manual effort, and ensure database credentials are continuously rotated and tightly controlled.
Key highlights:
- Targeted scanning: Run discovery scans using a CSV list of targets containing access details.
- Dynamic credential utilization: The scan automatically fetches relevant vaulted credentials at runtime, based on target data.
- Centralized discovery flow: Accounts identified during scans are routed into the Discovered Accounts area, making it simple to review and vault them together with other discoveries.
- Automated remediation rules: Define onboarding rules to automatically vault and manage discovered accounts.
- End-to-end coverage: From discovery → onboarding → rotation and access services, database accounts are fully managed in one streamlined workflow.
Supported databases:
- MS SQL Server
- Oracle
- MySQL
- PostgreSQL
