Have the affected companies addressed these vulnerabilities?

Yes, Bitwarden, LastPass, and Dashlane have begun implementing fixes and security hardening measures to address the identified vulnerabilities.

Is there evidence that these vulnerabilities have been exploited in the wild?

As of now, there is no evidence that these vulnerabilities have been exploited in real-world scenarios.

Critical Vulnerabilities in Major Password Managers Expose Millions

A recent study reveals significant security flaws in Bitwarden, LastPass, and Dashlane, affecting over 60 million users worldwide.

Published: February 23, 2026

Share this on:

Executive Summary

In February 2026, researchers from ETH Zurich and Università della Svizzera italiana identified 25 critical vulnerabilities across three major password managers: Bitwarden, LastPass, and Dashlane. These flaws, affecting over 60 million users, were categorized into key escrow mechanisms, item-level vault encryption, sharing features, and backward compatibility issues. Exploiting these vulnerabilities could allow attackers to bypass zero-knowledge encryption claims, leading to unauthorized access and modification of users' stored passwords and vault data. (cybersecuritynews.com)

The study underscores the ongoing challenges in balancing security and user convenience in password management solutions. While the affected companies have begun implementing fixes, the incident highlights the necessity for continuous evaluation and enhancement of security protocols to protect sensitive user information.

Why This Matters Now

This incident highlights the critical need for continuous evaluation and enhancement of security protocols in password management solutions, especially as attackers increasingly target such platforms to access sensitive user information.

Attack Path Analysis

An attacker compromised the password manager's update mechanism, escalating privileges to inject malicious code. They moved laterally within the infrastructure, establishing command and control channels. Sensitive user data was exfiltrated, leading to significant data breaches and operational disruptions.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

High

Initial Compromise

Description

The attacker compromised the password manager's update mechanism to distribute malicious code to users.

Confidence:

High

MITRE ATT&CK® Techniques

Credential Access

T1555.005

Credentials from Password Stores: Password Managers

Defense Evasion

T1078

Valid Accounts

Credential Access

T1556.001

Modify Authentication Process: Credential API Hooking

Credential Access

T1552.001

Unsecured Credentials: Credentials in Files

Defense Evasion

T1556.006

Modify Authentication Process: Multi-Factor Authentication

Credential Access

T1557

Adversary-in-the-Middle

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Secure Management of Non-Consumer Accounts

Control ID: 8.6.2

The incident highlights vulnerabilities in password managers, emphasizing the need for secure management of non-consumer accounts to prevent unauthorized access.

NYDFS 23 NYCRR 500 – Access Privileges

Control ID: 500.07

Unauthorized access to password manager vaults indicates inadequate access privilege controls, violating requirements to limit access to sensitive data.

DORA – ICT Risk Management Framework

Control ID: Article 5

The compromise of password managers underscores deficiencies in ICT risk management frameworks, necessitating robust controls to mitigate such risks.

CISA ZTMM 2.0 – Implement Strong Authentication Mechanisms

Control ID: Identity and Access Management

The incident reveals weaknesses in authentication mechanisms within password managers, contravening zero trust principles that require strong authentication.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The breach indicates insufficient cybersecurity risk management measures, as required by the directive to protect network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

Password manager backdoors create critical supply-chain vulnerabilities for financial institutions storing client credentials, compromising regulatory compliance and enabling data exfiltration attacks.

Health Care / Life Sciences

Compromised password managers expose patient data vaults and medical system credentials, violating HIPAA requirements while enabling lateral movement across healthcare networks.

Information Technology/IT

IT organizations face elevated supply-chain risks as compromised password managers can expose client infrastructure credentials, enabling privilege escalation and cross-organization attacks.

Computer/Network Security

Security firms using vulnerable password managers face reputational damage and client trust erosion as backdoors undermine zero-trust principles and compromise managed security services.

Sources

On the Security of Password Managershttps://www.schneier.com/blog/archives/2026/02/on-the-security-of-password-managers.html
Verified

Some top password managers can be hacked and hijacked to change your passwords - here's what we knowhttps://www.techradar.com/pro/security/some-top-password-managers-can-be-hacked-and-hijacked-to-change-your-passwords-heres-what-we-know

Verified

Password managers don’t protect secrets if pwnedhttps://www.theregister.com/2026/02/16/password_managers/

Verified

ETH Zurich Found 25 Flaws in Password Managers (Bitwarden, LastPass, Dashlane)https://safepasswordgenerator.net/blog/eth-zurich-password-manager-flaws-2026/

Verified

Frequently Asked Questions

The vulnerabilities included issues with key escrow mechanisms, item-level vault encryption flaws, sharing feature exploits, and backward compatibility problems, all of which could lead to unauthorized access and modification of user data.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to distribute malicious code through the compromised update mechanism would likely be constrained, reducing the scope of initial compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing the scope of unauthorized access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely be constrained, reducing the reachability to other systems and data.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing persistent access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts would likely be constrained, reducing the scope of data loss.

Impact (Mitigations)

The overall impact of the breach would likely be constrained, reducing operational disruptions and financial losses.

Impact at a Glance

Affected Business Functions

User Credential Management
Data Security
Access Control

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential exposure of user credentials and sensitive data stored within password manager vaults.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement within the network.
• Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Deploy Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.
• Regularly review and update supply chain security controls to mitigate risks associated with third-party software components.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Vulnerabilities in Major Password Managers Expose Millions

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Credentials from Password Stores: Password Managers

Valid Accounts

Modify Authentication Process: Credential API Hooking

Unsecured Credentials: Credentials in Files

Modify Authentication Process: Multi-Factor Authentication

Adversary-in-the-Middle

Potential Compliance Exposure

PCI DSS 4.0 – Secure Management of Non-Consumer Accounts

NYDFS 23 NYCRR 500 – Access Privileges

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Implement Strong Authentication Mechanisms

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Information Technology/IT

Computer/Network Security

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads