Trust Center
StrongDM's Security & Compliance Programs are rooted in providing our Customers with the most secure infrastructure access platform on the market. If you have further questions beyond the information provided here, please reach out to your sales representative, or your Customer Success Manager at csm-team@strongdm.com. If you're interested in the StrongDM Platform, and how it can solve your Infrastructure Access problems, please reach out to sales@strongdm.com
Benevity
Better
Bloom Credit
Braze
Coveo
Seismic
Sequoia Capital
SoFi
StackAdapt
Yext
ZefrDocuments
Featured Documents
Newsworthy Vulnerability Updates
Statement on StrongDM's exposure to the React Server Components vulnerability (React2Shell)
We are aware of the critical security vulnerability (CVE-2025-55182), also known as React2Shell, disclosed by the React team on December 3, 2025, affecting React Server Components. This vulnerability, rated CVSS 10.0, allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
StrongDM does not use React Server Components in any production systems. Our internal review of the vulnerability, including analysis of our production dependencies and infrastructure, confirms that no StrongDM production systems are affected by this vulnerability.
We will continue to monitor the situation as the React team and affected framework maintainers release additional guidance, and will post updates to this notice as relevant information surfaces.
Originally published on March 27, 2025
Statement on StrongDM's exposure to Oracle Cloud's Breach
On March 21st, 2025, CloudSek Security released a report on a potential security incident involving Oracle Cloud. This report was updated on March 25th, 2025, to state approximately 140,000 tenants were affected by the security incident. The tool released by CloudSek indicated StrongDM was one of the Oracle tenants impacted.
StrongDM’s Oracle Cloud environment is strictly for research and technical demonstrations. We do not host any Customer Data in Oracle Cloud, nor do we host any production systems there. Because of the strict segmentation that StrongDM employs across our IaaS providers, the risk disclosure of Customer Data impact is very low.
Despite this very low assessed risk, StrongDM’s Security & Technology Teams launched an impact investigation and took a number of preemptive actions within StrongDM’s Oracle environment, including credential rotations and tightening account recovery and lockout settings. We comprehensively audited all logins and user activity and found no suspicious activity. StrongDM strictly enforces MFA for all logins and continuously monitors all administrator activities for indicators of compromise.
StrongDM will continue to monitor the situation and apply remediation measures as they develop.
Originally published on July 3, 2024
Update on RegreSSHion Vulnerability (CVE-2024-6387)
Qualys has identified a vulnerability in the OpenSSH utility, versions earlier than 4.4p1, and versions 8.5p1 up to, but not including, 9.8p1 are vulnerable to Remote Code Execution. The CVE is listed below with links to resources:
CVE-2024-6387
• NIST NVD
• MITRE CVE List
StrongDM's Trust team has investigated our environment for systems that could be affected by this vulnerability, and we have not found any systems that are publicly available with software affected by this vulnerability.
Originally published on June 22, 2023
StrongDM Not Impacted by the MOVEit Vulnerability
We recently became aware of a vulnerability within the file transfer software product, MOVEit. Reputable threat intelligence sources have reported that this incident impacts customers of this solution: https://www.securityweek.com/moveit-customers-urged-to-patch-third-critical-vulnerability/.
We want our customers and potential customers to know that StrongDM is not impacted by this vulnerability.
We do not use MOVEit within our product or business functions, in any capacity. We are also not aware of any usage of MOVEit software amongst our contracted third parties currently.
The OpenSSL Project has announced the availability of a security update (version 3.07) that addresses a vulnerability affecting OpenSSL versions 3.0 and above (3.0.0 - 3.0.6).
The two CVE's are listed below:
- CVE-2022-3602
- CVE-2022-3786
Response
StrongDM's Trust teams have enumerated the services that could be affected by these vulnerabilities, and no vulnerable versions of the OpenSSL software were found.
Security Advisories (StrongDM Products)
SDMSA-2025-004 (CVE-2025-6183)
Summary
The StrongDM macOS client incorrectly processed JSON-formatted messages. Attackers could potentially modify macOS system configuration by crafting a malicious JSON message.
Affected Products & Versions
The configuration injection vulnerability affects all MacOS client application CLI versions below sdm-cli 47.39.0.
Solution
Any customers using MacOS sdm-cli below version 47.39.0 should update to or beyond version 47.39.0
Vulnerability Details
CVE ID: CVE-2025-6183
CVSS v4.0 Score: 7.0
CVE Description: configd Injection
CWE Class: CWE-78: OS Command Injection
Acknowledgments
StrongDM would like to thank WithSecure/Reversec for responsibly reporting this vulnerability.
SDMSA-2025-003 (CVE-2025-6182)
Summary
The StrongDM Windows service incorrectly handled communication related to system certificate management. Attackers could exploit this behavior to install untrusted root certificates or remove trusted ones.
Affected Products & Versions
The command injection vulnerability affects all Windows client application CLI versions below sdm-cli 47.50.0.
Solution
Any customers using Windows sdm-cli below version 47.50.0 should update to or beyond version 47.50.0
Vulnerability Details
CVE ID: CVE-2025-6182
CVSS v4.0 Score: 8.5
CVE Description: Root Certificate Injection
CWE Class: CWE-269: Improper Privilege Management
Acknowledgments
StrongDM would like to thank WithSecure/Reversec for responsibly reporting this vulnerability.
SDMSA-2025:002 (CVE-2025-6181)
Summary
The StrongDM Windows service incorrectly handled input validation. Authenticated attackers could potentially exploit this leading to privilege escalation.
Affected Products & Versions
The command injection vulnerability affects all Windows client application CLI versions below sdm-cli 47.39.0.
Solution
Any customers using Windows sdm-cli below version 47.39.0 should update to or beyond version 47.39.0
Vulnerability Details
CVE ID: CVE-2025-6181
CVSS v4.0 Score: 8.5
CVE Description: PowerShell Command Injection
CWE Class: CWE-78: OS Command Injection
Acknowledgments
StrongDM would like to thank WithSecure/Reversec for responsibly reporting this vulnerability.
SDMSA-2025:001 (CVE-2025-6180)
Summary
The StrongDM Client insufficiently protected a pre-authentication token. Attackers could exploit this to intercept and reuse the token, potentially redeeming valid authentication credentials through a race condition.
Affected Products & Versions
Authentication Hijack vulnerability affects all client application CLI version below sdm-cli 47.97.0.
Solution
Any customers using sdm-cli below version 47.97.0 should update to or beyond version 47.97.0
Vulnerability Details
CVE ID: CVE-2025-6180
CVSS v4.0 Score: 8.5
CVE Description: Authentication Hijack
CWE Class: CWE-319: Cleartext Transmission of Sensitive Information
Acknowledgments
StrongDM would like to thank WithSecure/Reversec for responsibly reporting this vulnerability.
Trust Center Updates
2022 Penetration Test Report Now Available
We are happy to announce the successful completion of a comprehensive penetration test of StrongDM's Platform AdminUI and API (also known as the "Control Plane").
In 2022, StrongDM engaged Cobalt Labs to conduct a gray-box penetration test and we are proud to present the results of this test in the 2022 Control Plane Penetration Test Combined Report.