cbcvebase.
CVE-2023-32784
published 2023-05-15

CVE-2023-32784: In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running…

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.66%
90.6th percentile
In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.

Affected

2 ranges
VendorProductVersion rangeFixed in
debiankeepass2
keepasskeepass>= 2.00 < 2.542.54

Detection & IOCsextracted from sources · hover to see the quote

pathpagefile.sys
pathhiberfil.sys
processKeePass.exe
  • The vulnerability originates from the custom password entry control `SecureTextBoxEx` in KeePass 2.x, which leaves plaintext character traces in process memory. Hunt for KeePass process memory containing repeated single-character UTF-16 strings that form a password pattern.
  • Memory artifacts for CVE-2023-32784 can be found not only in live KeePass process dumps but also in pagefile.sys, hiberfil.sys, and full RAM dumps — scan these files for KeePass master password remnants even after the application is closed.
  • Password recovery is possible even when the KeePass workspace is locked or the program is no longer running; detection should not rely solely on KeePass being active.
  • The public PoC (https://github.com/CMEPW/keepass-dump-masterkey) uses a Python script named poc.py to parse a .dmp file and output candidate master passwords. Monitor for execution of this script or similar memory-parsing tools targeting KeePass process dumps.
  • Affected KeePass versions are 2.x newer than 2.0 and prior to 2.54. Inventory KeePass installations and flag any instance running below version 2.54 as vulnerable.
  • Post-exploitation workflow observed in the wild: attacker extracts RT30000.zip (containing KeePassDumpFull.dmp + passcodes.kdbx) from a compromised host, runs keepass-dump-masterkey PoC against the .dmp file, then uses the recovered master password to open the .kdbx database and harvest stored credentials.
  • ·Only the first character of the master password cannot be recovered via this technique; all subsequent characters are recoverable. Defenders should not assume partial recovery limits attacker success — brute-forcing the first character is trivial.
  • ·KeePass 2.54 mitigates the vulnerability through different API usage and/or random string insertion; upgrading to 2.54+ is required for remediation.
  • ·According to Wiz telemetry, approximately 10% of cloud environments run KeePass versions vulnerable to CVE-2023-32784, making this a significant post-exploitation target for credential harvesting in cloud environments.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.