Attackers Can Retrieve Master Passwords from Memory Using the KeePass Exploit (31st May 2023)

Ref# AL2023_43 | Date: May 31st 2023


The well-known password manager KeePass has a flaw that makes it possible to extract the master password from the program”s memory, giving hackers who gain access to a device access to the password even while the database is protected. 

A proof-of-concept (PoC) has been released for a vulnerability affecting the KeePass password manager that, under certain conditions, might be used to recover a victim”s master password in cleartext. 


The vulnerability can recover the password in plaintext, except the initial password character. Only a memory dump, not code execution, is needed on the target machine.  

It is also possible to dump the password from RAM after KeePass has ceased working, but the likelihood that this would work lessens over time. 

It is important to note that a potential target”s computer must already be infected for the bug to be successfully exploited. Additionally, the password must be entered manually using a keyboard rather than being copied to the device”s clipboard. since it stores each character the user types in the program memory.  

As a result, there is a chance that a hacker may extract the program”s memory and reconstruct the password in plaintext, excluding the first character.  

The discovery comes shortly after another medium-severity vulnerability (CVE-2023-24055) in the free and open-source password manager was discovered. This flaw might have allowed someone with write access to the software”s XML configuration file to get cleartext passwords from the password database. 

According to KeePass, the “password database is not intended to be secure against an attacker who has that level of access to the local PC.” 

It also comes in the wake of Google security research results that described a vulnerability in password managers like Bitwarden, Dashlane, and Safari that can be exploited to automatically insert saved credentials into malicious websites, potentially resulting in account takeovers. 


The Guyana National CIRT (Computer Incident Response Team) encourage users to update to KeePass 2.54 as soon as it is made available. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary 

PDF Download: Attackers Can Retrieve Master Passwords from Memory Using the KeePass Exploit.pdf