CyberArk: Database discovery and automated onboarding
We’re excited to announce a new capability in our discovery SaaS, which extends support to databases. This enhancement enables teams to seamlessly uncover, secure, and onboard database accounts with greater efficiency. Security teams can now accelerate onboarding at scale, reduce manual effort, and ensure database credentials are continuously rotated and tightly controlled.
Key highlights:
- Targeted scanning: Run discovery scans using a CSV list of targets containing access details.
- Dynamic credential utilization: The scan automatically fetches relevant vaulted credentials at runtime, based on target data.
- Centralized discovery flow: Accounts identified during scans are routed into the Discovered Accounts area, making it simple to review and vault them together with other discoveries.
- Automated remediation rules: Define onboarding rules to automatically vault and manage discovered accounts.
- End-to-end coverage: From discovery → onboarding → rotation and access services, database accounts are fully managed in one streamlined workflow.
Supported databases:
- MS SQL Server
- Oracle
- MySQL
- PostgreSQL
CyberArk: CA25-31 – Potential authenticated remote code execution.
Issued: September 10, 2025
Updated: N/A
Version: 1.0
Severity: High
CVSS Score: 8.7
Third-party publication / CVE: N/A
Impact: Potential authenticated remote code execution.
Affected products and versions:
Secrets Manager – Self-Hosted (formerly Conjur Enterprise) – 13.5.0 – 13.5.2- 13.6.0 – 13.6.2
* This Security Bulletin applies only to the listed affected products. If this issue also affects another CyberArk product, it will be addressed separately in accordance with CyberArk’s Product Vulnerability Management Policy.
** Relates only to versions that are within their development life cycle. Refer to our End of Life policy for details.
Resolution
Upgrade to a patch version from the table below by downloading the patch from the respective link and following the instructions in our online documentation.
If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility docs.
Installed version:
Secrets Manager – Self-Hosted (Conjur Enterprise) prior to 13.6.3 – Patch version 13.6.3 – Documentation
Secrets Manager – Self-Hosted (Conjur Enterprise) 13.5 and its patches prior to 13.5.3 – Patch version 13.5.3 – Documentation
Temporary mitigation
There is no temporary mitigation available for this security bulletin.
Exploited in the wild in a CyberArk environment
Not to the best of CyberArk’s knowledge.
Technical FAQ
Are there any pre-upgrading steps that should be carried out before upgrading?
- Backup your current environment.
- Verify the minimum requirements for Conjur Enterprise and Vault Synchronizer.
- Review the deployment workflow to ensure the usage of the relevant commands needed.
As CyberArk receives questions related to this Security Bulletin, answers will be added to the Technical FAQ article. To stay informed of updates, open the FAQ article and click the Follow button to receive notifications when new questions and answers are published.
CyberArk: CA25-30 – Possible stack overflow that can lead to denial of service (DoS).
Issued: September 3, 2025
Updated: N/A
Version: 1.0
Severity: High
CVSS Score: 7
Third-party publication / CVE:
CVE-2025-48924</a >
Impact: Possible stack overflow that can lead to denial of service (DoS).
Affected products and versions:
z/OS Credential Provider All versions prior to version 14.2
Resolution:
Upgrade to a patch version from the table below by downloading the patch from the respective link and following the instructions in our online documentation.
If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility docs.
Installed version:
z/OS Credential Provider (Java Provider) 14.2 (LTS) and its patches prior to 14.2.3 – Patch version: 14.2.3 –
z/OS Credential Provider (Java Provider) 12.6 (LTS) and its patches prior to 12.6.6 or earlier versions – Patch version: 12.6.6
Temporary mitigation:
There is no temporary mitigation available for this security bulletin.
CyberArk: CA25-29 – Potential exposure to Prototype Pollution as described in the above third-party CVE
Issued: August 27, 2025
Updated: N/A
Version: 1.0
Severity: High
CVSS Score: 7.8
Third-party publication / CVE: CVE-2024-38996
Impact: Potential exposure to Prototype Pollution as described in the above third-party CVE.
Affected products and versions:
Password Vault Web Access (PVWA) Self-Hosted: All versions earlier than 14.2.4 – All product subsets are affected.
* This Security Bulletin applies only to the listed affected products. If this issue also affects another CyberArk product, it will be addressed separately in accordance with CyberArk’s Product Vulnerability Management Policy.
** Relates only to versions that are within their development life cycle. Refer to our End of Life policy for details.
Resolution:
Upgrade to a patch version from the table below by downloading the patch from the respective link and following the instructions in our online documentation.
If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility docs.
PAM On Cloud customers:
- Version 14.2 and later: Download and deploy the patched image from the Marketplace for your deployed solution:
- Versions earlier than 14.2: Follow the instructions for on-premises patches for your deployed version.
Temporary mitigation:
There is no temporary mitigation available for this security bulletin.
Exploited in the wild in a CyberArk environment:
Not to the best of CyberArk’s knowledge.
