Security is built into our bones
Delinea’s Privileged Access Management solutions are built with security as a foundation from the start. We adhere to industry standards and frameworks, and ensure security testing is performed as a critical component of our software development processes along with continuous Quality Assurance (QA) checks.
Our cybersecurity defense measures address key components, including intrusion detection, Distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, machine learning, and Security Operations Center. We also monitor and protect against critical web application security risks incorporating OWASP Top 10 and Automated Top 20 threats.
Encryption assured for data in transit and at rest
Customer data is fully isolated and encrypted both in transit and at rest, using the AES-256 standard encryption algorithm and PBKDF2-HMAC-SHA256 hashing algorithm. Delinea uses private encryption keys for each customer, with third-party key management support (AWS KMS). Secrets are systematically “salted” before being hashed and encrypted with their own unique Initialization Vector and Key.
Connections to Delinea cloud services are protected via Transport Layer Security (TLS). Distributed Engine communications are also secured with an additional encryption key unique to each tenant.
Documents
Delinea Secret Server Dump - 3rd Party Script Advisory
We are aware of a publicly available script that references Secret Server. This script does not exploit any new or active vulnerability within the product. Instead, it attempts to decrypt secrets from environments where the user running it must have administrative access to both the application server and its databases.
Secret Server on-premises is delivered as an application. Delinea continuously assesses and addresses vulnerabilities across all supported components. While Delinea is responsible for maintaining the security of the application, customers are responsible for securing and hardening the environments in which they deploy and host Secret Server. Administrator access to the application server on which Secret Server on-premise is hosted provides full management control over the application. This means that if an attacker gains this level of control, they could obtain both the database data and the encryption key, which enables decryption of secrets. Preventing unauthorized access to the hosting environment is therefore of utmost importance. To secure your configuration we recommend following security best practices such as the CIS Critical Security Controls, as well as :
- Use EFS (Encrypting File System)
- Use HSM (Hardware Security Module) that meets HSM Security Assessment Level 2
- Use DPAPI to encrypt the encryption.config file (this does not protect from the use of the tool, but does provide additional security in case the file is retrieved from backup and decryption is performed on a different machine)
- Use DoubleLock
- Protect and restrict access to the local admin account and the service account that runs Secret Server on the application server
- Protect underlying infrastructure on which Secret Server is hosted.
Note: Secret Server Cloud is not directly impacted by this issue. Please see these documentation sections for more information:
• https://docs.delinea.com/online-help/secret-server/security-hardening/hardening-guides/security-hardening-guide/index.htm#Database
• https://docs.delinea.com/online-help/secret-server/security-hardening/hardening-guides/security-hardening-guide/index.htm#ApplicationServer
• https://docs.delinea.com/online-help/secret-server/security-hardening/hardening-guides/security-hardening-guide/index.htm#ApplicationSettings
• https://www.cisecurity.org/controls
Delinea Secret Server on-prem RPC Password Rotation authentication vulnerability - CVE-2025-12810
Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).
This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25.
A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password.
Affected Product and Version
Delinea Secret Server on-prem versions 11.8.1, 11.9.6, and 11.9.25
Resolution
Upgrade to Secret Server version 11.9.47 or later
The secret will remain checked out when the password change fails.
CVE Details
- CVE ID: CVE-2025-12810
- Published Date: January 27, 2026
- Vulnerability Type: Improper Authentication
- CWE: 287
- CVSS v4.0 Score: 5.3
- CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/AU:Y/R:A
Delinea Platform achieves PCI-DSS compliance
Delinea Platform has achieved PCI DSS 4.0.1 compliance, ensuring adherence to industry-recognized security requirements for payment data. Supporting documentation can be found by clicking on PCI-DSS in the Compliance section.
Assessment of recently-announced Critical Vulnerabilities in React and Next.js (CVE-2025-55182 and CVE-2025-66478)
Delinea has reviewed the recently announced React and Next.js critical vulnerabilities (CVE-2025-55182 and CVE-2025-66478) and has determined that Delinea products are not impacted. Delinea will continue to monitor and assess the vulnerabilities as new updates become available and will provide further communications if our disposition changes.
Gainsight Security Notification
Delinea has reviewed the recently announced Gainsight compromise and has confirmed that Delinea has not been impacted. Delinea will continue to monitor and assess this vulnerability as new updates become available and will provide further communications if our disposition changes.
If you have questions, please contact your Customer Success Manager, Engagement Manager, or Partner Manager. Please subscribe to the Delinea Trust Center for future security and other important announcements.