Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions.
Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host.
The condition was reported through coordinated disclosure by Hope Walker (SpecterOps).
AnalysisAI
StrongDM Desktop Application on Microsoft Windows exposes authentication secrets - including JSON Web Tokens and asymmetric key material - by writing them in cleartext to C:\Users\<username>\.sdm\state.kv, a per-user state file protected solely by default NTFS user-level permissions. Versions prior to Desktop Application 23.74.0 and Desktop Client 53.77.0 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local Windows session with at minimum read access to the target user's profile directory (C:\Users\<username>\.sdm\state.kv). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.0 accurately reflects a narrow, locally-constrained vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained local low-privilege access to a Windows endpoint - for example, via malware, a compromised shared account, or physical access - navigates to C:\Users\<targetuser>\.sdm\state.kv and reads the plaintext file to extract the victim's JWT and asymmetric key material. With these credentials, the attacker can authenticate to StrongDM as the victim user and access any databases, servers, or cloud resources the victim was authorized to reach through the StrongDM gateway, potentially without triggering new authentication prompts. … |
| Remediation | Upgrade StrongDM Desktop Application to version 23.74.0 or later and StrongDM Desktop Client to version 53.77.0 or later, as confirmed by the vendor advisory at https://security.strongdm.com/?tcuUid=56fde839-9388-4361-8d3b-9baa7b2de2ed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33417
GHSA-qgjm-4mg2-6wm5