CVE-2023-32784
published 2023-05-15CVE-2023-32784: In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running…
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.66%
90.6th percentile
In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | keepass2 | — | — |
| keepass | keepass | >= 2.00 < 2.54 | 2.54 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability originates from the custom password entry control `SecureTextBoxEx` in KeePass 2.x, which leaves plaintext character traces in process memory. Hunt for KeePass process memory containing repeated single-character UTF-16 strings that form a password pattern. ↗
- →Memory artifacts for CVE-2023-32784 can be found not only in live KeePass process dumps but also in pagefile.sys, hiberfil.sys, and full RAM dumps — scan these files for KeePass master password remnants even after the application is closed. ↗
- →Password recovery is possible even when the KeePass workspace is locked or the program is no longer running; detection should not rely solely on KeePass being active. ↗
- →The public PoC (https://github.com/CMEPW/keepass-dump-masterkey) uses a Python script named poc.py to parse a .dmp file and output candidate master passwords. Monitor for execution of this script or similar memory-parsing tools targeting KeePass process dumps. ↗
- →Affected KeePass versions are 2.x newer than 2.0 and prior to 2.54. Inventory KeePass installations and flag any instance running below version 2.54 as vulnerable. ↗
- →Post-exploitation workflow observed in the wild: attacker extracts RT30000.zip (containing KeePassDumpFull.dmp + passcodes.kdbx) from a compromised host, runs keepass-dump-masterkey PoC against the .dmp file, then uses the recovered master password to open the .kdbx database and harvest stored credentials. ↗
- ·Only the first character of the master password cannot be recovered via this technique; all subsequent characters are recoverable. Defenders should not assume partial recovery limits attacker success — brute-forcing the first character is trivial. ↗
- ·KeePass 2.54 mitigates the vulnerability through different API usage and/or random string insertion; upgrading to 2.54+ is required for remediation. ↗
- ·According to Wiz telemetry, approximately 10% of cloud environments run KeePass versions vulnerable to CVE-2023-32784, making this a significant post-exploitation target for credential harvesting in cloud environments. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f4c7-5p8v-p7jh: In KeePass 2
ghsa_unreviewed·2023-05-15
CVE-2023-32784 [HIGH] CWE-319 GHSA-f4c7-5p8v-p7jh: In KeePass 2
In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.
OSV
CVE-2023-32784: In KeePass 2
osv·2023-05-15·CVSS 7.5
CVE-2023-32784 [HIGH] CVE-2023-32784: In KeePass 2
In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.
VulnCheck
keepass keepass Cleartext Transmission of Sensitive Information
vulncheck·2023·CVSS 7.5
CVE-2023-32784 [HIGH] keepass keepass Cleartext Transmission of Sensitive Information
keepass keepass Cleartext Transmission of Sensitive Information
In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.
Affected: keepass keepass
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/2024-07/aa24-207a-dprk-cyber-group-conducts-global-espionage
Debian
CVE-2023-32784: keepass2 - In KeePass 2.x before 2.54, it is possible to recover the cleartext master passw...
vendor_debian·2023·CVSS 7.5
CVE-2023-32784 [HIGH] CVE-2023-32784: keepass2 - In KeePass 2.x before 2.54, it is possible to recover the cleartext master passw...
In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
arXiv
StealthCup: Realistic, Multi-Stage, Evasion-Focused CTF for Benchmarking IDS
arxiv_fulltext·2025-11-21
StealthCup: Realistic, Multi-Stage, Evasion-Focused CTF for Benchmarking IDS
: Realistic, Multi-Stage, Evasion-Focused CTF for Benchmarking IDS
Manuel Kern, Dominik Steffan, Felix Schuster, Florian Skopik, Max Landauer, David Allison
Austrian Insititute of Technology
[email protected]
Simon Freudenthaler
FH Hagenberg
[email protected]
Edgar Weippl
University of Vienna
[email protected]
## Abstract
Intrusion Detection Systems (IDS) are critical to defending enterprise and industrial control environments, yet evaluating their effectiveness under realistic conditions remains an open challenge.
Existing benchmarks rely on synthetic datasets (e.g., NSL-KDD, CICIDS2017) or scripted replay frameworks, which fail to capture adaptive adversary behavior.
Even MITRE ATT&CK Evaluations, while influential, are host-centric and assume malware-
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
Keeper / README
ctf_writeups
Keeper / README
# Keeper
> Write-up author: jon-brandy
## STEPS:
> PORT SCANNING
```
┌──(brandy㉿bread-yolk)-[~]
└─$ nmap -p- -sVC 10.10.11.227 --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-07 06:14 PDT
Nmap scan report for keeper.htb (10.10.11.227)
Host is up (0.030s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
|_ 256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
CTF
Keeper / README
ctf_writeups·CVSS 7.5
CVE-2023-32784 [HIGH] Keeper / README
# Keeper - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `80`.
***User***: Discovered the SSH password for the `lnorgaard` user on the `Request Tracker system's` user information page.
***Root***: Located a zip file named `RT30000.zip` containing a `KeePass` database file and a memory dump. Utilized `CVE-2023-32784` to extract the password from the memory dump. Additionally, identified the `Putty User-Key-File` for the `root` user in the `KeePass` database. Converted it to SSH private key using `puttygen`.
## Keeper Solution
### User
Let's begin by using `nmap` to scan the target machine:
```console
┌─[evyatar9@parrot]─[/hackthebox/Keeper]
└──╼ $ nmap -sV
Wiz
Crying Out Cloud - May Newsletter | Wiz
blogs_wiz·2023-06-06·CVSS 7.5
[HIGH] Crying Out Cloud - May Newsletter | Wiz
Over the last month, we've seen a couple of vulnerabilities pop up and some users have felt the impact of security incidents. We know you're busy too, so we've sifted through the noise to bring you the real game-changers, no fluff attached.
Without further ado, here are our handpicked cloud security highlights!
## ✨ Highlights
## RCE 0-day vulnerability in MOVEit Transfer exploited in the wild
On May 31, 2023, Progress published details of an RCE 0day vulnerability being exploited in-the-wild in MOVEit Transfer (CVE-2023-34362), a Windows-Server-based managed file transfer (MFT) service. Users are urgently advised to patch to the fixed version. While our own data shows MOVEit Transfer can be found in less than 1% of cloud environments, based on other reports, most publicly exposed inst
Wiz
Exploitable and unpatched KeePass vulnerability: everything you need to know | Wiz Blog
blogs_wiz·2023-05-23·CVSS 7.5
CVE-2023-32784 [HIGH] Exploitable and unpatched KeePass vulnerability: everything you need to know | Wiz Blog
A vulnerability in password manager KeePass (CVE-2023-32784) enables the extraction of the master password from the application's memory, allowing attackers with existing access to a vulnerable machine to retrieve the password, even when the database is locked.
A proof of concept (PoC) was published on May 18, 2023, and as of May 22 there is still no patch available for the vulnerability. The patch addressing this vulnerability was released in version `2.54.0`. With a public PoC and no available patch, we expect to see exploitation attempts being made.
### What is CVE-2023-32784?
KeePass is an open-source password manager designed to enable users to create unique passwords for each of their accounts and store them in a local database, known as a password vault. To ensure the security of
Wiz
Exploitable and unpatched KeePass vulnerability: everything you need to know | Wiz Blog
blogs_wiz·2023-05-23·CVSS 7.5
CVE-2023-32784 [HIGH] Exploitable and unpatched KeePass vulnerability: everything you need to know | Wiz Blog
A vulnerability in password manager KeePass ( CVE-2023-32784) enables the extraction of the master password from the application's memory, allowing attackers with existing access to a vulnerable machine to retrieve the password, even when the database is locked.
2.54.0
## What is CVE-2023-32784?
KeePass is an open-source password manager designed to enable users to create unique passwords for each of their accounts and store them in a local database, known as a password vault. To ensure the security of this password vault, users need to remember a single master password that is used to unlock it and access the credentials stored within.
The master password encrypts the vault, thereby preventing unauthorized access. However, if the master password is compromised, an attacker with access
https://github.com/keepassxreboot/keepassxc/discussions/9433https://github.com/vdohney/keepass-password-dumperhttps://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/https://github.com/keepassxreboot/keepassxc/discussions/9433https://github.com/vdohney/keepass-password-dumperhttps://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/
2023-05-15
Published
Exploited in the wild