Executive Summary
In May 2026, security researcher Tom Jøran Sønstebyseter Rønning disclosed that Microsoft Edge decrypts and stores all saved user passwords in cleartext within process memory upon browser launch, retaining them throughout the session. This design allows attackers with administrative privileges to access these credentials, posing significant risks in shared and enterprise environments. Microsoft confirmed this behavior is intentional, stating it is 'by design.'
This incident underscores the critical need for organizations to reassess their reliance on browser-based password storage solutions. The exposure of credentials in memory highlights vulnerabilities that can be exploited, emphasizing the importance of adopting dedicated password management tools and implementing robust security policies to mitigate such risks.
Why This Matters Now
The intentional storage of decrypted passwords in memory by Microsoft Edge presents an immediate security concern, especially in shared and enterprise environments where administrative access can be exploited to harvest credentials, leading to potential data breaches and unauthorized access.
Attack Path Analysis
An attacker with administrative privileges exploited Microsoft Edge's storage of passwords in cleartext within process memory to extract user credentials. These credentials were then used to escalate privileges, move laterally across systems, establish command and control channels, exfiltrate sensitive data, and ultimately disrupt business operations.
Kill Chain Progression
Initial Compromise
Description
The attacker gained administrative access to a system running Microsoft Edge.
MITRE ATT&CK® Techniques
OS Credential Dumping
Unsecured Credentials: Credentials in Files
Valid Accounts
Application Layer Protocol: Web Protocols
File and Directory Discovery
Remote Services: Remote Desktop Protocol
Impair Defenses: Disable or Modify Tools
Brute Force: Password Guessing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Storage of Account Data
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 2
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Microsoft Edge credential theft vulnerability poses severe risk to banking passwords and financial data, enabling lateral movement and ransomware attacks in shared enterprise environments.
Information Technology/IT
IT organizations face critical exposure through Edge's cleartext password storage in memory, allowing admin-level attackers to harvest credentials across VDI and terminal server infrastructures.
Government Administration
Government agencies risk widespread credential compromise through Edge vulnerability, particularly in shared workstation environments where administrative access could expose classified system passwords.
Health Care / Life Sciences
Healthcare organizations face HIPAA compliance violations and patient data breaches as Edge credential theft could provide unauthorized access to medical systems and databases.
Sources
- Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Riskhttps://www.darkreading.com/cyber-risk/microsoft-edge-passwords-enterprise-riskVerified
- Microsoft Says Edge Password Security Vulnerability Is ‘By Design’—Is It Time To Switch To Chrome?https://www.forbes.com/sites/daveywinder/2026/05/05/microsoft-says-edge-password-security-vulnerability-is-by-design-is-it-time-to-switch-to-chrome/Verified
- Microsoft Edge password manager securityhttps://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-password-manager-securityVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, establish command and control channels, exfiltrate sensitive data, and disrupt business operations.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been limited to the compromised system, reducing the potential for further exploitation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to utilize extracted credentials may have been constrained, reducing the risk of unauthorized access to sensitive resources.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been restricted, limiting the spread of the attack within the network.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been hindered, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been detected and blocked, reducing the risk of data loss.
The overall impact of the attack may have been minimized, reducing operational disruptions and data compromise.
Impact at a Glance
Affected Business Functions
- User Authentication
- Access Control
- Data Security
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of all user credentials stored in Microsoft Edge, including sensitive corporate and personal accounts.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict administrative access and limit lateral movement.
- • Deploy East-West Traffic Security to monitor and control internal traffic flows.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities.
- • Regularly review and update security policies to address emerging threats and vulnerabilities.
