Trust Center
Security is built into our bones Delinea’s Privileged Access Management solutions are built with security as a foundation from the start. We adhere to industry standards and frameworks, and ensure security testing is performed as a critical component of our software development processes along with continuous Quality Assurance (QA) checks.
Our cybersecurity defense measures address key components, including intrusion detection, Distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, machine learning, and Security Operations Center. We also monitor and protect against critical web application security risks incorporating OWASP Top 10 and Automated Top 20 threats.
Encryption assured for data in transit and at rest Customer data is fully isolated and encrypted both in transit and at rest, using the AES-256 standard encryption algorithm and PBKDF2-HMAC-SHA256 hashing algorithm. Delinea uses private encryption keys for each customer, with third-party key management support (AWS KMS). Secrets are systematically “salted” before being hashed and encrypted with their own unique Initialization Vector and Key.
Connections to Delinea cloud services are protected via Transport Layer Security (TLS). Distributed Engine communications are also secured with an additional encryption key unique to each tenant.
Documents
Delinea has reviewed the critical Kubernetes vulnerabilities that were disclosed on March 25, 2025 CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, and has determined that they’re applicable to the Delinea Platform and Secret Server Cloud offerings. The Kubernetes clusters for both offerings do not have internet-facing admission controllers and could not have been exploited without internal access. Delinea has promptly patched and successfully tested both products offerings and, out of an abundance of caution, has examined all recent activity and determined that there are no indicators of compromise. Delinea will continue to monitor the service offerings in question and provide communication updates if new material information comes to light.
If you have questions, please contact your Customer Success Manager, Engagement Manager, or Partner Manager. Please subscribe to the Delinea Trust Center for future security and other important announcements.
During a customer test of Secret Server, a third party discovered vulnerabilities in the protocol handler function -- which are now disclosed in CVE-2024-12908
The third party approached Delinea with their findings and in collaboration with Delinea's Development and Security staff, Delinea created a remediation plan in accordance with our responsible disclosure policy.
The vulnerability existed in the Secret Server protocol handler, where URI’s were compared before normalization and canonicalization. This potentially led to cases of over matching against the approved list.
Delinea patched the SaaS instance on October 9, 2024 and released a patch for the on-premises version on November 26, 2024. The time between those release dates and publishing the CVE allows for customers to upgrade before going live with the disclosure.
If operators of this software have not yet installed version 11.7.49, which remediates the vulnerability, they should do so at their earliest convenience.
During a customer test of Privilege Manager, a third party discovered vulnerabilities in the application -- which are now disclosed in CVE-2024-52926.
The third party approached Delinea with their findings and in collaboration with Delinea's Development and Security staff, Delinea created a remediation plan in accordance with our responsible disclosure policy.
The vulnerability existed in the Privilege Manager Agent where a non-administrative user could escalate their rights if Privilege Manager had previously elevated a process in that user’s session.
Delinea patched the SaaS instance on September 28, 2024 and released a patch for the on-premises version on October 11, 2024. The time between those release dates and publishing the CVE allows for customers to upgrade before going live with the disclosure.
If operators of this software have not yet installed version 12.0.2153, which remediates the vulnerability, they should do so at their earliest convenience.
On 19 July, operators of Microsoft Windows operating systems, which use a CrowdStrike product for endpoint protection, experienced outages as a result of a CrowdStrike product update that did not install as planned.
Delinea’s products and services are not affected by any of these outages. Delinea’s SaaS products remain operational and within SLA. Status of Delinea’s SaaS systems can be accessed 24/7 at https://status.delinea.com/.
Customers may elect to subscribe to that status page to receive updates in real-time.
Additionally, Delinea has reached out to our critical vendors and service providers and they continue to provide their services to Delinea in accordance with their agreements with Delinea.
For those customers who are users of CrowdStrike Falcon, Microsoft has created a recovery tool which is an option for enabling recovery of impacted systems. You can learn more from Microsoft at the link above. As this is a Microsoft provided tool, Delinea does not assume any responsibility or risk on behalf of our customers who decide to use this tool.
The Apache Foundation has released a critical CVE for their HTTP Server. The vulnerability is documented in CVE-2024-39884.
Delinea does not use the Apache HTTP Server to provide services. As a precaution, Delinea ran a scan of its assets to verify no traces of the Apache HTTP Server were found.
As such, Delinea is not impacted by CVE-2024-39884.
If you need help using this Trust Center, please contact us.
If you think you may have discovered a vulnerability, please send us a note.