AD credentials can be leaked from the Management Interface for Cloud Access Connector (current and legacy)

Rate this Article
No votes yet


An insufficiently protected credentials vulnerability has been identified in the Management Interface of the Cloud Access Connector and the Cloud Access Connector Legacy for releases from April 20, 2020 and earlier (v15 and earlier for Cloud Access Connector). 

Affected releases have the potential to expose the Active Directory service account credentials that configured during Cloud Access Connector installation to an unauthenticated attacker of the service. 





Affected Products 

  • Cloud Access Connector v15 and earlier 
  • Cloud Access Connector (Legacy) from April 20, 2020 and earlier 


Available Updates 

  • Cloud Access Connector v16 and newer 
  • Cloud Access Connector (Legacy) update from April 20, 2020 onwards 


Workarounds and Mitigations 

Block or restrict network connectivity to https://<fqdn or ip address of Cloud Access Connector>/CloudAccessManager/ to trusted networks only to reduce the scope of exposure. 



The following article describes this class of vulnerability (CWE-522: Insufficiently Protected Credentials) 



We would like to thank Michael Fowl and team of VDA Labs team for finding and reporting this vulnerability.