CyberArk: CA25-32 – Potential disclosure of sensitive information in Central Credential Provider (CCP).
Issued: October 8, 2025
Updated: N/A
Version: 1.0
Severity: High
CVSS Score: 7.1
Third-party publication / CVE: N/A
Impact: Potential disclosure of sensitive information in Central Credential Provider (CCP).
Affected products and versions:
Central Credential Provider (CCP) – Versions 14.0 and 14.2 – Versions prior to 14.0 are not affected
* This Security Bulletin applies only to the listed affected products. If this issue also affects another CyberArk product, it will be addressed separately in accordance with CyberArk’s Product Vulnerability Management Policy.
** Relates only to versions that are within their development life cycle. Refer to our End of Life policy for details.
Resolution
Upgrade to a patch version from the following table by downloading the patch from the respective link and following the instructions in our online documentation.
If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility documentation.
Installed Version:
14.0, 14.2, and their patches prior to 14.2.4 – Patch Version 14.2.4 – https://www.cyberark.com/CA25-32-CCP-14.2.4 – Upgrade the Central Credential Provider(CCP) Note: Ensure that you upgrade the CCP’s Credential Provider (CP).
Temporary mitigation
There is no temporary mitigation available for this security bulletin.
Exploited in the wild in a CyberArk environment
Not to the best of CyberArk’s knowledge.
Technical FAQ
Are Credential Provider (CP) and Application Server Credential Provider (ASCP) also affected by this issue?
Yes. Credential Provider versions 14.0 and 14.2, including all patches prior to version 14.2.4, are affected by this issue. However, due to the limited attack vector, it is scored as medium severity and does not merit a bulletin announcement. The Application Server Credential Provider relies on the Credential Provider and is therefore also impacted by this issue (at medium severity).
A fix is available in Credential Provider version 14.2.4: https://www.cyberark.com/CA25-32- CP-14.2.4.
As CyberArk receives questions related to this Security Bulletin, answers will be added to the Technical FAQ article. To stay informed of updates, open the FAQ article and click Follow to receive notifications when new questions and answers are published.
SailPoint Introduces: Agent Identity Security
Why This Matters
As AI agents become integral members of the workforce, organizations need a way to govern and secure them just like human identities.
Agent Identity Security helps enterprises:
- Discover, secure, and govern AI agents under one unified control plane
- Assign ownership and ensure accountability for every agent
- Prevent over-permissioning, misalignment, and regulatory exposure
What Has Changed
Agent Identity Security extends SailPoint’s Identity Security Cloud to include AI agents alongside human users.
Key capabilities include:
- AI Agent Aggregation & Identity Creation – Connect directly to AWS, Azure, and GCP to onboard AI agents with enriched identity context
- Ownership & Succession Planning – Assign human owners to agents and maintain continuous oversight
- Certification & Review – Recertify agent access regularly and revoke inappropriate permissions
- Tool Governance – Apply consistent policies to agent service accounts from creation through retirement
- Audit & Traceability – Maintain full audit trails and certification records for compliance and investigations
Available for: Business and Business+ customers as an add-on capability
CyberArk: Database discovery and automated onboarding
We’re excited to announce a new capability in our discovery SaaS, which extends support to databases. This enhancement enables teams to seamlessly uncover, secure, and onboard database accounts with greater efficiency. Security teams can now accelerate onboarding at scale, reduce manual effort, and ensure database credentials are continuously rotated and tightly controlled.
Key highlights:
- Targeted scanning: Run discovery scans using a CSV list of targets containing access details.
- Dynamic credential utilization: The scan automatically fetches relevant vaulted credentials at runtime, based on target data.
- Centralized discovery flow: Accounts identified during scans are routed into the Discovered Accounts area, making it simple to review and vault them together with other discoveries.
- Automated remediation rules: Define onboarding rules to automatically vault and manage discovered accounts.
- End-to-end coverage: From discovery → onboarding → rotation and access services, database accounts are fully managed in one streamlined workflow.
Supported databases:
- MS SQL Server
- Oracle
- MySQL
- PostgreSQL
Okta: introduces new capability: the Okta MCP Server
Why This Matters
- Lets AI agents interact directly with Okta using natural language
- Reduces the need for manual API calls or custom scripts
- Enables automation of tasks like adding users, managing groups, and generating reports
What Has Changed
- MCP Server bridges AI models with Okta’s Admin APIs
- Supports both interactive login and secure headless authentication (private key JWT)
- Built on Okta’s official SDK for reliability and tight integration
Timelines
- Released: September 22, 2025
- Available now on https://developer.okta.com/blog/2025/09/22/okta-mcp-server
