Important: Advisory regarding General Settings in PAM360 and PAM360 MSP Edition—v7410 & v7500
Severity: Medium
In recent versions of PAM360 and PAM360 MSP Edition (v7410 and v7500), the corresponding upgrade pack did not account for a few specific use cases. This has led to unintended modifications in the 'General Settings,' particularly those related to masking and unmasking the plain-text view of passwords.
If you've upgraded to one of these versions, we recommend reviewing your settings to ensure they reflect your intended configuration.
You can find more details and suggested best practices in the advisory below.
What's the issue?
PAM360 MSP edition
Affected version - 7410
In the 7410 release of PAM360, we rolled out an enhancement to granularly mask/unmask shared passwords of PAM360 users based on their PAM360 user roles.
7400
7410
However, we noticed that, for MSP users who upgraded to this version, the following had occurred.
1. For MSP users who had enabled the setting in 7400 version in their MSP org:
The setting was set to "None" allowing for all users to view their shared passwords in plain text in MSP ORG. However, the same setting was applied across all of the client ORGs as well.
2. For MSP users who had disabled the setting in 7400 version in their MSP org:
The setting was set to "Non-Administrator Roles" in MSP ORG. However, the same setting was applied across all of the client ORGs as well.
PAM360 standalone edition
Affected version - 7500
We released 7500 of PAM360 to fix the above issue for MSP users. However, we noticed that for all non-MSP users who upgraded to PAM360's 7500 version, if they had made any changes while in 7410, their setting was also changed to that of their original setting from 7400.
Version details:
Product Name | Affected Version(s) | Affected PPM SHA256 values | Note |
PAM360 MSP | 7410 | 024e8e908b489ff2415193db695d4adf9c2dc6b45ea8a35ce7c632bd58e5ccdb | This applies to only those who have upgraded to the above mentioned version. |
PAM360 | 7500 | 7af4de5801fc0dbae92fc72ef8ad14431ef24023a0b33c028fb8b0d316c4de69 | This applies to only those who have downloaded the upgrade pack from 6th June, 2025 to 12th June, 2025 and upgraded to the above mentioned version (Note: You can verify the upgrade pack using the SHA256 mentioned in the given box.) |
Impact
If you had upgraded to one of the recent versions of PAM360 (v7410 or v7500), this flaw would allow relevant users to view previously masked passwords in plain text as a result of the automatic modification of this setting. However, any password related activities by users—such as View, Modify, Reset, and Delete—will be duly audited and logged by the PAM360 console.
What should customers do?
PAM360 MSP users who had upgraded to 7410 or 7500 are strongly advised to manually reset their plain text view of password settings.
PAM360 users who had upgraded to 7500, between 6th June, 2025, and 12th June, 2025, are strongly advised to reset their plain text view of password settings manually.
As a general best practice, we also strongly recommend rotating shared passwords in case exposure is noticed in audit logs.
Steps to reset plain text view of passwords:
Head to General Settings in the Admin console:
Suitably reset the setting to mask passwords for required users.
Praveen
